Hi all, We noticed the branch "hs/qualys-2020" and reviewed the patches. We just have three comments and one question: ======================================================================== commit 4f0ac4ad70d38a13fb3f248c3ae2b66b0e1fe7d3 Safeguard against relative names for msglog files. Is there a reason for the extra "&& (p == filename || *(p-1) == '/')"? Because of this extra condition, our exploit against CVE-2019-15846 for example would work despite this patch: we overwrite the message id (the argument for deliver_message()) with "/../../../../../../../etc/passwd" but depending on the alignment of our memory corruption, the beginning of id can be "./../../" (for example) and: - (p = Ustrstr(filename, US"/../")) is true; - (p == filename) is false, because filename always starts with spool_directory, an absolute path; - (*(p-1) == '/') is false, because the character before the first "/../" is '.'; as a result, log_write(LOG_PANIC_DIE) is not called and we can modify /etc/passwd. ======================================================================== commit e5cb5e615a63a4c97d3e2e88903eaaadfb254bcb Check overrun rcpt_count integer if (rcpt_count+1 < 0 Actually, such a signed integer overflow is undefined behavior in C and an optimizing compiler may therefore remove this check completely (some do). The check should be made against INT_MAX (before the int overflow) and should be made earlier, when rcpt_count is incremented (at the very beginning of the case RCPT_CMD): otherwise, rcpt_count can be increased without going through the recipients_max check (e.g., via the breaks in "if (sender_address == NULL)" and "if (!recipient_domain)"). ======================================================================== commit 54895bc3ffdf5ecebcbafb2e6041fa52d6f5e5fb smtp_out: Leave a clean input buffer, even in case of read error + inblock->ptr = ptr; return -1; There is another return -1 in this function, should it also get fixed? Or maybe a common error codepath should be added instead? ======================================================================== We saw 20-patches2.txt.gpg in cve-2020-qualys/ and just in case: did you also receive/read patches1.txt? ======================================================================== Thank you very much for all your work on Exim! We are at your disposal for questions, comments, and further discussions. With best regards, -- the Qualys Security Advisory team