Jeremy Harris [Sun, 16 May 2021 19:22:45 +0000 (20:22 +0100)]
Small config, with:
----Exit nonpool max: 18 kB in 8 blocks
----Exit npools max: 95 kB
----Exit pool 0 max: 12 kB in 2 blocks at order 13 untainted main
----Exit pool 1 max: 4 kB in 1 blocks at order 13 untainted perm
----Exit pool 2 max: 4 kB in 1 blocks at order 13 untainted config
----Exit pool 3 max: 4 kB in 1 blocks at order 13 untainted search
----Exit pool 4 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 5 max: 4 kB in 1 blocks at order 13 tainted main
----Exit pool 6 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted config
----Exit pool 8 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 9 max: 4 kB in 1 blocks at order 13 tainted message
Small config, without:
----Exit nonpool max: 18 kB in 8 blocks
----Exit npools max: 87 kB
----Exit pool 0 max: 12 kB in 2 blocks at order 13 untainted main
----Exit pool 1 max: 4 kB in 1 blocks at order 13 untainted perm
----Exit pool 2 max: 4 kB in 1 blocks at order 13 untainted search
----Exit pool 3 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 4 max: 4 kB in 1 blocks at order 13 tainted main
----Exit pool 5 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 6 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted message
Large config, with:
----Exit nonpool max: 17 kB in 30 blocks
----Exit npools max: 309 kB
----Exit pool 0 max: 124 kB in 5 blocks at order 17 untainted main
----Exit pool 1 max: 60 kB in 4 blocks at order 15 untainted perm
----Exit pool 2 max: 298 kB in 2 blocks at order 13 untainted config
----Exit pool 3 max: 12 kB in 2 blocks at order 13 untainted search
----Exit pool 4 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 5 max: 60 kB in 4 blocks at order 15 tainted main
----Exit pool 6 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted config
----Exit pool 8 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 9 max: 4 kB in 1 blocks at order 13 tainted message
Large config, without:
----Exit nonpool max: 212 kB in 30 blocks
----Exit npools max: 591 kB
----Exit pool 0 max: 508 kB in 7 blocks at order 19 untainted main
----Exit pool 1 max: 12 kB in 2 blocks at order 13 untainted perm
----Exit pool 2 max: 4 kB in 1 blocks at order 13 untainted search
----Exit pool 3 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 4 max: 4 kB in 1 blocks at order 13 tainted main
----Exit pool 5 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 6 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted message
Jeremy Harris [Fri, 7 May 2021 12:09:12 +0000 (13:09 +0100)]
Suggestion from Qalys:
If I may add one more thing, there is an issue that should be addressed
sooner rather than later: the writable configuration at the beginning of
the heap. A short-term (and hopefully non-intrusive) solution may be to
mmap() the configuration instead, and then mprotect(PROT_READ) it. This
would mitigate the exploitation technique that almost all Exim exploits
have been using.
Do not close the (main)_log, if we do not see a chance to open it again.
The process doing local deliveries runs as an unprivileged user. If this
process needs to log failures or warnings (as caused by the
is_tainting2() function), it can't re-open the main_log and just exits.
Jeremy Harris [Fri, 28 May 2021 19:04:44 +0000 (20:04 +0100)]
DKIM: under GnuTLS, permit weak algorithms
Recent versions of GnuTLS by default disallow use of some methods now regarded as
weak. This probably mean sha1, which is deprecated per DKIM standards.
Jeremy Harris [Fri, 28 May 2021 12:33:49 +0000 (13:33 +0100)]
Logging: avoid pause during log-open under testsuite
It results in rearranged logging output, causing testsuite case failures
The downside is that we lose debug visbility of the extra process startup
CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."