Version in base suite: 4.96-15+deb12u6 Base version: exim4_4.96-15+deb12u6 Target version: exim4_4.96-15+deb12u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/exim4/exim4_4.96-15+deb12u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/exim4/exim4_4.96-15+deb12u7.dsc changelog | 7 +++ patches/81_CVE-2025-30232.patch | 82 ++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 90 insertions(+) diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2024-09-28 14:49:26.000000000 +0000 +++ exim4-4.96/debian/changelog 2025-03-22 10:25:14.000000000 +0000 @@ -1,3 +1,10 @@ +exim4 (4.96-15+deb12u7) bookworm-security; urgency=high + + * Fix use-after-free (requiring local command-line access) notified by + Trend Micro (ref: ZDI-CAN-26250). CVE-2025-30232 + + -- Andreas Metzler Sat, 22 Mar 2025 11:25:14 +0100 + exim4 (4.96-15+deb12u6) bookworm; urgency=medium * Fix crash in dbmnz when looking up keys with no content. diff -Nru exim4-4.96/debian/patches/81_CVE-2025-30232.patch exim4-4.96/debian/patches/81_CVE-2025-30232.patch --- exim4-4.96/debian/patches/81_CVE-2025-30232.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.96/debian/patches/81_CVE-2025-30232.patch 2025-03-21 14:38:29.000000000 +0000 @@ -0,0 +1,82 @@ +From 4338bbe48a80dbfb7d75cbb8ac4789b02720f15e Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 19 Mar 2025 13:32:23 +0000 +Subject: [PATCH] CVE-2025-30232 + +--- + doc/ChangeLog | 11 ++++++++++- + src/debug.c | 26 +++++++++++++++----------- + 2 files changed, 25 insertions(+), 12 deletions(-) + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -1,9 +1,14 @@ + This document describes *changes* to previous versions, that might + affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + ++JH/01 Fix use-after-free notified by Trend Micro (ref: ZDI-CAN-26250). ++ Null out debug_pretrigger_buf pointer before freeing the buffer; ++ the use of this buffer by the storage management checks the pointer ++ for non-null before using it. CVE-2025-30232 ++ + H/35 Bug 3099: fix parsing of MIME filename= split over multiple paramemters. + Previously the $mime_filename variable would have an incorrect value. + While in the code, extend coverage to name= which previously was only + supported for single parameters, despite also filling in $mime_filename. + +--- a/src/debug.c ++++ b/src/debug.c +@@ -450,21 +450,33 @@ else + diverts output to a circular buffer if the buffer is set up. + The routines here set up the buffer, and unload it to file (and release it). + What ends up in the buffer is subject to the usual debug_selector. */ + + void ++debug_pretrigger_discard(void) ++{ ++dtrigger_selector = 0; ++if (debug_pretrigger_buf) ++ { ++ uschar * buf = debug_pretrigger_buf; ++ debug_pretrigger_buf = NULL; ++ store_free(buf); ++ } ++} ++ ++void + debug_pretrigger_setup(const uschar * size_string) + { + long size = Ustrtol(size_string, NULL, 0); + if (size > 0) + { + unsigned bufsize = MIN(size, 16384); + +- dtrigger_selector |= BIT(DTi_pretrigger); +- if (debug_pretrigger_buf) store_free(debug_pretrigger_buf); +- debug_pretrigger_buf = store_malloc((size_t)(debug_pretrigger_bsize = bufsize)); ++ debug_pretrigger_discard(); + pretrigger_readoff = pretrigger_writeoff = 0; ++ debug_pretrigger_buf = store_malloc((size_t)(debug_pretrigger_bsize = bufsize)); ++ dtrigger_selector |= BIT(DTi_pretrigger); + } + } + + void + debug_trigger_fire(void) +@@ -484,15 +496,7 @@ if (debug_file && (nbytes = pretrigger_w + } + + debug_pretrigger_discard(); + } + +-void +-debug_pretrigger_discard(void) +-{ +-if (debug_pretrigger_buf) store_free(debug_pretrigger_buf); +-debug_pretrigger_buf = NULL; +-dtrigger_selector = 0; +-} +- + + /* End of debug.c */ diff -Nru exim4-4.96/debian/patches/series exim4-4.96/debian/patches/series --- exim4-4.96/debian/patches/series 2024-09-28 14:46:46.000000000 +0000 +++ exim4-4.96/debian/patches/series 2025-03-21 14:35:40.000000000 +0000 @@ -54,4 +54,5 @@ 78_02-MIME-support-RFC-2331-for-name-.-Bug-3099.patch 78_03-Compiler-quietening.patch 80_Lookups-fix-dbmnz-crash-on-zero-length-datum.-Bug-30.patch +81_CVE-2025-30232.patch 90_localscan_dlopen.dpatch