========================================================================
CVE-2020-PFPSN -- Heap buffer overflow in parse_fix_phrase()
========================================================================

If a local attacker executes Exim with a -F '.(' option (for example),
then parse_fix_phrase() calls strncpy() with a -1 size (which overflows
the destination buffer, because strncpy(dest, src, n) "writes additional
null bytes to dest to ensure that a total of n bytes are written").

Indeed, at line 1124 s and ss are both equal to end, at line 1125 ss is
decremented, and at line 1127 ss-s is equal to -1:

1124             {
1125             if (ss >= end) ss--;
1126             *t++ = '(';
1127             Ustrncpy(t, s, ss-s);

/usr/sbin/exim4 -bt -F '.('
Program received signal SIGSEGV, Segmentation fault.

We have not tried to exploit this vulnerability; if exploitable, it
would allow an unprivileged local attacker to obtain full root
privileges.

