========================================================================
CVE-2020-SLCWD -- Heap out-of-bounds write in main()
========================================================================

For debugging and logging purposes, Exim copies the current working
directory (initial_cwd) into the heap-based big_buffer:

3665 initial_cwd = os_getcwd(NULL, 0);
....
3945   uschar *p = big_buffer;
3946   Ustrcpy(p, "cwd= (failed)");
....
3952     Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
3953     p += 4 + Ustrlen(initial_cwd);
....
3956     *p = '\0';

The strncpy() at line 3952 cannot overflow big_buffer, but (on Linux at
least) initial_cwd can be much longer than big_buffer_size (16KB): line
3953 can increase p past big_buffer's end, and line 3956 (and beyond)
can write out of big_buffer's bounds.

We have not tried to exploit this vulnerability; if exploitable, it
would allow an unprivileged local attacker to obtain full root
privileges.
