Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Debian DSA 376-1: exim buffer overflow

Debian DSA 376-1: exim buffer overflow

by Nikola Strahija on September 4th, 2003 By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 376-1 [email protected]
http://www.debian.org/security/ Matt Zimmerman
September 4th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : exim exim-tls
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0743

A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.

For the stable distribution (woody) this problem has been fixed in
exim version 3.35-1woody1 and exim-tls version 3.35-3woody1.

For the unstable distribution (sid) this problem has been fixed in
exim version 3.36-8. The unstable distribution does not contain an
exim-tls package.

We recommend that you update your exim or exim-tls package.

Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1.dsc
Size/MD5 checksum: 661 34a7faf2980c66aab318512a36a2c656
http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1.diff.gz
Size/MD5 checksum: 79296 0839fd89bd648ee5828e55afe6ce3628
http://security.debian.org/pool/updates/main/e/exim/exim_3.35.orig.tar.gz
Size/MD5 checksum: 1271057 42d362e40a21bd7ffc298f92c8bd986a
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1.dsc
Size/MD5 checksum: 677 efc414eda2eaf3b739c0ff1d0ce1ce08
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1.diff.gz
Size/MD5 checksum: 79663 3b0ffcb9a0c4662ba908f622e6bc6923
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35.orig.tar.gz
Size/MD5 checksum: 1271057 42d362e40a21bd7ffc298f92c8bd986a

Alpha architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_alpha.deb
Size/MD5 checksum: 872528 0c6303e4ab06e4aef0b65e8be9dd6dea
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_alpha.deb
Size/MD5 checksum: 52316 ebc1ae6e92ebd810a4ffd3f7369995f9
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_alpha.deb
Size/MD5 checksum: 873212 19bba89ff92748d38fc68a667474ed35

ARM architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_arm.deb
Size/MD5 checksum: 785544 2bd24816a3290cdaa2bdcd52893f738c
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_arm.deb
Size/MD5 checksum: 43522 d368467b3e01b7525b06d810ddee91de
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_arm.deb
Size/MD5 checksum: 783822 4a14319839d9f01dd2be37e047fd6d66

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_i386.deb
Size/MD5 checksum: 758810 d562e8c0093c8fd1eac2a4b6756b2c74
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_i386.deb
Size/MD5 checksum: 39204 eb5b733cbab82e3613368b117c7ccba8
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_i386.deb
Size/MD5 checksum: 759152 ad293a317eb4ee7bccffff05a425156e

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_ia64.deb
Size/MD5 checksum: 972460 490ba5d8e041b14de7bab91d25cd8e84
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_ia64.deb
Size/MD5 checksum: 65172 151a1cac77506fe862a1d7bd6e800ef4
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_ia64.deb
Size/MD5 checksum: 973764 ee164461e235691d1ebbd5499535bb23

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_hppa.deb
Size/MD5 checksum: 814904 e6865edc611c89d9846aabb61fd0a8f6
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_hppa.deb
Size/MD5 checksum: 48278 d0a74247177785fc79511b03e855c247
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_hppa.deb
Size/MD5 checksum: 813986 5b98643ddca3a563c0f35702533abec7

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_m68k.deb
Size/MD5 checksum: 737612 cdc5648c0a2f0785d9a31f8bed6225cc
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_m68k.deb
Size/MD5 checksum: 37762 138c8847fc4586c4fbabe0358427b752
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_m68k.deb
Size/MD5 checksum: 736502 387d9a32b505ec7f3e8cedad5390095a

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_mips.deb
Size/MD5 checksum: 824132 16515eef87fbea27dd0269bbfd82b804
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_mips.deb
Size/MD5 checksum: 48868 b54faf31be830fc6d88ca91fd92aec15
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_mips.deb
Size/MD5 checksum: 824072 068d46cc7be1f70e369795eed39a5e2c

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_mipsel.deb
Size/MD5 checksum: 824350 1e4beb825601c1d6034ed1236a1ddae0
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_mipsel.deb
Size/MD5 checksum: 48770 ae84a1825f88b5e12ed94a4050bac66c
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_mipsel.deb
Size/MD5 checksum: 824764 dc94f41f414b487a5fb242abf1691c71

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_powerpc.deb
Size/MD5 checksum: 793734 8751038ff5bc501e701568180cf918df
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_powerpc.deb
Size/MD5 checksum: 44782 a295cd17f3d6f97d5f41a149c4aafe76
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_powerpc.deb
Size/MD5 checksum: 792296 a8e7e8d5c05ad550d02ebed47ec98ee8

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_s390.deb
Size/MD5 checksum: 779618 0f914e0637333149eac25dfb72e1626a
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_s390.deb
Size/MD5 checksum: 43928 f88d92626105590087361b2d8042c3f7
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_s390.deb
Size/MD5 checksum: 778952 a1f2ada573819be4637929c3763a6193

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody1_sparc.deb
Size/MD5 checksum: 784920 0309da1ad933034ebcec4c44e6bad64a
http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody1_sparc.deb
Size/MD5 checksum: 42440 d26369a10e324da946baa8d17f401c1c
http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody1_sparc.deb
Size/MD5 checksum: 782482 4ae58125f8e4daea23660df37e867c14

These files will probably be moved into the stable distribution on
its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/V8wEArxCt0PiXR4RAhmXAJ0XsYiULkkaee9lMG93+DgRvKtYUACfcn6T
AZKZChaqO0VFoKPvq4Tw0Pg=
=5mFP
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »