From 798bcb8a094a3a7399d04d760c882f4f25922f41 Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametzler@debian.org>
Date: Wed, 13 May 2020 18:01:31 +0200
Subject: [PATCH] Import Debian changes 4.92-8+deb10u4

exim4 (4.92-8+deb10u4) buster-security; urgency=high

  * Fix authentication bypass in SPA authenticator due to out-of-bound buffer
    read. https://bugs.exim.org/show_bug.cgi?id=2571 CVE-2020-12783
---
 debian/changelog                              |  7 ++
 ...cator-checking-client-supplied-data-.patch | 74 +++++++++++++++++++
 ...SPA-fix-to-avoid-overflows.-Bug-2571.patch | 59 +++++++++++++++
 debian/patches/series                         |  2 +
 4 files changed, 142 insertions(+)
 create mode 100644 debian/patches/79_01-Fix-SPA-authenticator-checking-client-supplied-data-.patch
 create mode 100644 debian/patches/79_02-Rework-SPA-fix-to-avoid-overflows.-Bug-2571.patch

diff --git a/debian/changelog b/debian/changelog
index 6fcb27a..42f11ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+exim4 (4.92-8+deb10u4) buster-security; urgency=high
+
+  * Fix authentication bypass in SPA authenticator due to out-of-bound buffer
+    read. https://bugs.exim.org/show_bug.cgi?id=2571 CVE-2020-12783
+
+ -- Andreas Metzler <ametzler@debian.org>  Wed, 13 May 2020 18:01:31 +0200
+
 exim4 (4.92-8+deb10u3) buster-security; urgency=high
 
   * 78_02-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch:
diff --git a/debian/patches/79_01-Fix-SPA-authenticator-checking-client-supplied-data-.patch b/debian/patches/79_01-Fix-SPA-authenticator-checking-client-supplied-data-.patch
new file mode 100644
index 0000000..f0688bb
--- /dev/null
+++ b/debian/patches/79_01-Fix-SPA-authenticator-checking-client-supplied-data-.patch
@@ -0,0 +1,74 @@
+From 6a7edbf6608d10ef0c707c426511e667849518d7 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Tue, 5 May 2020 21:15:34 +0100
+Subject: [PATCH 1/2] Fix SPA authenticator, checking client-supplied data
+ before using it.  Bug 2571
+
+(cherry picked from commit 57aa14b216432be381b6295c312065b2fd034f86)
+---
+ doc/ChangeLog |  5 +++++
+ src/auths/spa.c   | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -62,6 +62,11 @@ JH/28 Fix the timeout on smtp response t
+ [from GIT master]
+ 
+ 
++JH/41 Bug 2571: Fix SPA authenticator.  Running as a server, an offset supplied
++      by the client was not checked as pointing within response data before
++      being used.  A malicious client could thus cause an out-of-bounds read and
++      possibly gain authentication.  Fix by adding the check.
++
+ 
+ Exim version 4.92
+ -----------------
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -139,7 +139,7 @@ SPAAuthChallenge challenge;
+ SPAAuthResponse  response;
+ SPAAuthResponse  *responseptr = &response;
+ uschar msgbuf[2048];
+-uschar *clearpass;
++uschar *clearpass, *s;
+ 
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -197,6 +197,13 @@ that causes failure if the size of msgbu
+   char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
+   int len = SVAL(&responseptr->uUser.len,0)/2;
+ 
++  if (p + len*2 >= CS (responseptr+1))
++    {
++    DEBUG(D_auth)
++      debug_printf("auth_spa_server(): bad uUser spec in response\n");
++    return FAIL;
++    }
++
+   if (len + 1 >= sizeof(msgbuf)) return FAIL;
+   for (i = 0; i < len; ++i)
+     {
+@@ -245,14 +252,17 @@ spa_smb_nt_encrypt (clearpass, challenge
+ 
+ /* compare NT hash (LM may not be available) */
+ 
+-if (memcmp(ntRespData,
+-      ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
+-      24) == 0)
+-  /* success. we have a winner. */
++s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
++if (s + 24 >= US (responseptr+1))
+   {
+-  return auth_check_serv_cond(ablock);
++  DEBUG(D_auth)
++    debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
++  return FAIL;
+   }
+ 
++if (memcmp(ntRespData, s, 24) == 0)
++  return auth_check_serv_cond(ablock);	/* success. we have a winner. */
++
+   /* Expand server_condition as an authorization check (PH) */
+ 
+ return FAIL;
diff --git a/debian/patches/79_02-Rework-SPA-fix-to-avoid-overflows.-Bug-2571.patch b/debian/patches/79_02-Rework-SPA-fix-to-avoid-overflows.-Bug-2571.patch
new file mode 100644
index 0000000..5bc18e3
--- /dev/null
+++ b/debian/patches/79_02-Rework-SPA-fix-to-avoid-overflows.-Bug-2571.patch
@@ -0,0 +1,59 @@
+From 5a41d2c2cd2b28a0d1aea21edeaea02bd6db4984 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Wed, 6 May 2020 22:31:25 +0100
+Subject: [PATCH 2/2] Rework SPA fix to avoid overflows.  Bug 2571
+
+Amends: 6a7edbf660
+(cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0)
+---
+ src/auths/spa.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index ed9aff23b..4e3aef808 100644
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -140,6 +140,7 @@ SPAAuthResponse  response;
+ SPAAuthResponse  *responseptr = &response;
+ uschar msgbuf[2048];
+ uschar *clearpass, *s;
++unsigned off;
+ 
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -194,10 +195,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
+ 
+   {
+   int i;
+-  char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
++  char * p;
+   int len = SVAL(&responseptr->uUser.len,0)/2;
+ 
+-  if (p + len*2 >= CS (responseptr+1))
++  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
++     || len >= sizeof(responseptr->buffer)/2
++     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
++     )
+     {
+     DEBUG(D_auth)
+       debug_printf("auth_spa_server(): bad uUser spec in response\n");
+@@ -252,13 +256,14 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
+ 
+ /* compare NT hash (LM may not be available) */
+ 
+-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
+-if (s + 24 >= US (responseptr+1))
++off = IVAL(&responseptr->ntResponse.offset,0);
++if (off >= sizeof(SPAAuthResponse) - 24)
+   {
+   DEBUG(D_auth)
+     debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
+   return FAIL;
+   }
++s = (US responseptr) + off;
+ 
+ if (memcmp(ntRespData, s, 24) == 0)
+   return auth_check_serv_cond(ablock);	/* success. we have a winner. */
+-- 
+2.26.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 2e2816b..d19d88e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,4 +24,6 @@
 77_Avoid-re-expansion-in-sort-CVE-2019-13917-OVE-201907.patch
 78_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch
 78_02-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch
+79_01-Fix-SPA-authenticator-checking-client-supplied-data-.patch
+79_02-Rework-SPA-fix-to-avoid-overflows.-Bug-2571.patch
 90_localscan_dlopen.dpatch
-- 
2.20.1