Debian Exim4 vulnerabilities

CVE-2020-28020 [CRITICAL] CVE-2020-28020: exim4 - Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unaut... Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction. Scope: local bookworm: resolved (fixed in 4.92~RC5-1) bullseye: resolved (fixed in 4.92~RC5-1) forky: resolved (fixed in 4.92~RC5-1) sid: resolved

CVE-2020-28017 [CRITICAL] CVE-2020-28017: exim4 - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_r... Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed

CVE-2020-12783 [HIGH] CVE-2020-12783: exim4 - Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could ... Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c. Scope: local bookworm: resolved (fixed in 4.93-16) bullseye: resolved (fixed in 4.93-16) forky: resolved (fixed in 4.93-16) sid: resolved (fixed in 4.93-16) trixie: resolved (fixed in 4.93-16)

CVE-2020-28023 [HIGH] CVE-2020-28023: exim4 - Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sens... Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (fixed in 4.94.2-1)

CVE-2020-28007 [HIGH] CVE-2020-28007: exim4 - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim ... Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94

CVE-2020-28008 [HIGH] CVE-2020-28008: exim4 - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim ... Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fi

CVE-2020-28012 [HIGH] CVE-2020-28012: exim4 - Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sp... Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (fixed in 4.94.2-1)

CVE-2020-28009 [HIGH] CVE-2020-28009: exim4 - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdi... Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days). Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.

CVE-2020-28011 [HIGH] CVE-2020-28011: exim4 - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two send... Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (fixed in 4.94.2-1)

CVE-2020-28013 [HIGH] CVE-2020-28013: exim4 - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F... Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1)

CVE-2020-28021 [HIGH] CVE-2020-28021: exim4 - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenti... Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1

CVE-2020-28015 [HIGH] CVE-2020-28015: exim4 - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users... Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (fixed in 4.

CVE-2020-28025 [HIGH] CVE-2020-28025: exim4 - Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash doe... Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixe

CVE-2020-28019 [HIGH] CVE-2020-28019: exim4 - Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-base... Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (

CVE-2020-28016 [HIGH] CVE-2020-28016: exim4 - Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is... Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (fixed in 4.94.2-1)

CVE-2020-28010 [HIGH] CVE-2020-28010: exim4 - Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while... Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms). Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: r

CVE-2020-28014 [MEDIUM] CVE-2020-28014: exim4 - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP optio... Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (

CVE-2020-28018 [CRITICAL] CVE-2020-28018: exim4 - Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations t... Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL. Scope: local bookworm: resolved (fixed in 4.94.2-1) bullseye: resolved (fixed in 4.94.2-1) forky: resolved (fixed in 4.94.2-1) sid: resolved (fixed in 4.94.2-1) trixie: resolved (fixed in 4.94.2-1)

CVE-2019-13917 [CRITICAL] CVE-2019-13917: exim4 - Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in... Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain). Scope: local bookworm: resolved (fixed in 4.92-10) bullseye: resolved (fixed in 4.92-10) forky: resolved (fixed in 4.92-10) sid: resolved (fixed

CVE-2019-15846 [CRITICAL] CVE-2019-15846: exim4 - Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via... Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. Scope: local bookworm: resolved (fixed in 4.92.1-3) bullseye: resolved (fixed in 4.92.1-3) forky: resolved (fixed in 4.92.1-3) sid: resolved (fixed in 4.92.1-3) trixie: resolved (fixed in 4.92.1-3)