Version in base suite: 4.96-15+deb12u9 Base version: exim4_4.96-15+deb12u9 Target version: exim4_4.96-15+deb12u10 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/exim4/exim4_4.96-15+deb12u9.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/exim4/exim4_4.96-15+deb12u10.dsc changelog | 13 + patches/84_Security-fix-PROXYv2-uninitialised-stack-disclosure-.patch | 89 ++++++++++ patches/series | 1 3 files changed, 103 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsodfw6le/exim4_4.96-15+deb12u9.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsodfw6le/exim4_4.96-15+deb12u10.dsc: no acceptable signature found diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2026-05-11 17:12:18.000000000 +0000 +++ exim4-4.96/debian/changelog 2026-05-27 16:52:26.000000000 +0000 @@ -1,3 +1,16 @@ +exim4 (4.96-15+deb12u10) bookworm-security; urgency=high + + * Cherry-pick fix for EXIM-Security-2026-05-19.1 from 4.99.4. + Security: PROXYv2 parser: reject PROXY frames whose declared payload + length is too short for the claimed address family (12 bytes for + TCPv4/0x11, 36 bytes for TCPv6/0x21). Previously a frame with + family=0x21 and len=0 caused 16 bytes of uninitialized stack to be + formatted as the sender's IPv6 address and disclosed in the SMTP + greeting banner. Affects configurations with SUPPORT_PROXY and + `hosts_proxy` set. Reported by Warisjeet Singh (sin99xx). + + -- Andreas Metzler Wed, 27 May 2026 18:52:26 +0200 + exim4 (4.96-15+deb12u9) bookworm-security; urgency=high * Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path. diff -Nru exim4-4.96/debian/patches/84_Security-fix-PROXYv2-uninitialised-stack-disclosure-.patch exim4-4.96/debian/patches/84_Security-fix-PROXYv2-uninitialised-stack-disclosure-.patch --- exim4-4.96/debian/patches/84_Security-fix-PROXYv2-uninitialised-stack-disclosure-.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.96/debian/patches/84_Security-fix-PROXYv2-uninitialised-stack-disclosure-.patch 2026-05-27 16:52:26.000000000 +0000 @@ -0,0 +1,89 @@ +From aae0c4c3fba1f7e50971ba250ddbbedb583d48a6 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" +Date: Tue, 19 May 2026 16:06:43 +0200 +Subject: [PATCH] Security: fix PROXYv2 uninitialised-stack disclosure + (EXIM-Security-2026-05-16.1) + +A PROXYv2 frame with address family 0x21 (TCPv6) and payload length 0 +passes the upper-bound check at the only existing length guard, then +the TCPv6 dispatch arm reads 16 bytes of uninitialised stack from the +union into sender_host_address, which is subsequently rendered in the +SMTP greeting banner. Any attacker whose source IP matches hosts_proxy +can thus leak stack content (useful as an ASLR-defeat primitive) with +a single unauthenticated connection. + +Fix: add minimum-length checks for each address family before the union +is accessed (12 bytes for TCPv4/0x11, 36 bytes for TCPv6/0x21). + +Affects: all Exim releases with SUPPORT_PROXY enabled. +Reported by: Warisjeet Singh (sin99xx) + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -140,14 +140,22 @@ JH/36 CVE-2026-40687: The spa authentica + end of static buffers, by choice of data provided by the client. + + JH/01 GnuTLS: when a TLS close alert was received with CHUNKING still active + a one-byte write into a freed buffer was possible. Fix by reinstating + the plaintext input handlers on TLS close while maintaining the bdat + handlers. + ++HS/01 Security: PROXYv2 parser: reject PROXY frames whose declared payload ++ length is too short for the claimed address family (12 bytes for ++ TCPv4/0x11, 36 bytes for TCPv6/0x21). Previously a frame with ++ family=0x21 and len=0 caused 16 bytes of uninitialized stack to be ++ formatted as the sender's IPv6 address and disclosed in the SMTP ++ greeting banner. Affects configurations with SUPPORT_PROXY and ++ `hosts_proxy` set. Reported by Warisjeet Singh (sin99xx). ++ + Exim version 4.96 + ----------------- + + JH/01 Move the wait-for-next-tick (needed for unique message IDs) from + after reception to before a subsequent reception. This should + mean slightly faster delivery, and also confirmation of reception + to senders. +--- a/src/smtp_in.c ++++ b/src/smtp_in.c +@@ -1396,14 +1396,20 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, + + switch (cmd) + { + case 0x01: /* PROXY command */ + switch (hdr.v2.fam) + { + case 0x11: /* TCPv4 address type */ ++ if (ntohs(hdr.v2.len) < 12) ++ { ++ DEBUG(D_receive) debug_printf("PROXYv2 TCPv4 payload too short (%d)\n", ++ ntohs(hdr.v2.len)); ++ goto proxyfail; ++ } + iptype = US"IPv4"; + tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr; + inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip)); + if (!string_is_ip_address(US tmpip, NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype); + goto proxyfail; +@@ -1422,14 +1428,20 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, + goto proxyfail; + } + proxy_external_address = string_copy(US tmpip); + tmpport = ntohs(hdr.v2.addr.ip4.dst_port); + proxy_external_port = tmpport; + goto done; + case 0x21: /* TCPv6 address type */ ++ if (ntohs(hdr.v2.len) < 36) ++ { ++ DEBUG(D_receive) debug_printf("PROXYv2 TCPv6 payload too short (%d)\n", ++ ntohs(hdr.v2.len)); ++ goto proxyfail; ++ } + iptype = US"IPv6"; + memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16); + inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6)); + if (!string_is_ip_address(US tmpip6, NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype); + goto proxyfail; diff -Nru exim4-4.96/debian/patches/series exim4-4.96/debian/patches/series --- exim4-4.96/debian/patches/series 2026-05-11 17:01:08.000000000 +0000 +++ exim4-4.96/debian/patches/series 2026-05-27 16:52:26.000000000 +0000 @@ -62,4 +62,5 @@ 82_05-Fix-SPA-authenticator.-Bug-3106.patch 82_06-SPA-authenticator-harden-buffer-usage.patch 83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch +84_Security-fix-PROXYv2-uninitialised-stack-disclosure-.patch 90_localscan_dlopen.dpatch