root upgrade vulnerability in exim4 (CVE-2010-4345)

Debian Bug report logs - #606527
root upgrade vulnerability in exim4 (CVE-2010-4345)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Konrad Rosenbaum <konrad@silmor.de>

To: submit@bugs.debian.org

Subject: root upgrade vulnerability in exim4

Date: Thu, 9 Dec 2010 23:23:19 +0100

[Message part 1 (text/plain, inline)]

Package: exim4
Version: 4.69-9

The /usr/sbin/exim4 executable can be abused to upgrade from Debian-exim to 
root in case of another vulnerability in exim that creates a shell (there 
currently seems to be one).

The exim config allows constructs like ${run{...}} that execute shell 
commands, then calling "exim -C<myconfig.conf>" executes those commands, if 
they are in specific lines they are executed as root.

Please recompile Debians exim with ALT_CONFIG_PREFIX=/etc/exim4/ and 
DISABLE_D_OPTION to prevent (even privileged) users from exploiting this to 
upgrade to root.

A discussion of the problem can be seen here:
http://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html


	Konrad

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 606527@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Konrad Rosenbaum <konrad@silmor.de>, 606527@bugs.debian.org, 606527-submitter@bugs.debian.org

Cc: Marc Haber <mh+debian-packages@zugschlus.de>

Subject: Re: Bug#606527: root upgrade vulnerability in exim4

Date: Fri, 10 Dec 2010 11:27:19 +0100

severity #606527 grave
tags #606527 confirmed security lenny squeeze
thanks

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #26 received at 606527@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 606612@bugs.debian.org, 606527@bugs.debian.org

Subject: Re: Bug#606612: Acknowledgement (exim4: Exploitable memory corruption vulnerability)

Date: Fri, 10 Dec 2010 11:19:24 +0000

Julien, I just wanted to point out that there are two separate issues
here, and only one of them has been fixed in newer versions. #606527
relating to the root upgrade is AFAIK still an issue.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #37 received at 606527@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 606527@bugs.debian.org

Cc: 606612@bugs.debian.org

Subject: Re: Bug#606527: Bug#606612: Acknowledgement (exim4: Exploitable memory corruption vulnerability)

Date: Fri, 10 Dec 2010 12:28:28 +0100

[Message part 1 (text/plain, inline)]

On Fri, Dec 10, 2010 at 11:19:24 +0000, Dominic Hargreaves wrote:

> Julien, I just wanted to point out that there are two separate issues
> here, and only one of them has been fixed in newer versions. #606527
> relating to the root upgrade is AFAIK still an issue.
> 
Yeah sorry about that.  I think I've undone the wrong merge now.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 606527@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Konrad Rosenbaum <konrad@silmor.de>

Cc: 606527@bugs.debian.org

Subject: Re: root upgrade vulnerability in exim4

Date: Fri, 10 Dec 2010 13:52:29 +0000

On Thu, Dec 09, 2010 at 11:23:19PM +0100, Konrad Rosenbaum wrote:
> The /usr/sbin/exim4 executable can be abused to upgrade from Debian-exim to 
> root in case of another vulnerability in exim that creates a shell (there 
> currently seems to be one).
> 
> The exim config allows constructs like ${run{...}} that execute shell 
> commands, then calling "exim -C<myconfig.conf>" executes those commands, if 
> they are in specific lines they are executed as root.
> 
> Please recompile Debians exim with ALT_CONFIG_PREFIX=/etc/exim4/ and 
> DISABLE_D_OPTION to prevent (even privileged) users from exploiting this to 
> upgrade to root.
> 
> A discussion of the problem can be seen here:
> http://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

And in particular there is a candidate patch at

<http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html#exim-dev>

(although sadly I can't see how to get it to render in a fixed-width
font).

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #47 received at 606527@bugs.debian.org (full text, mbox, reply):

From: "Robert de Bath" <rdebath@tvisiontech.co.uk>

To: <606527@bugs.debian.org>

Subject: Use the source

Date: Fri, 10 Dec 2010 16:47:31 -0000

[Message part 1 (text/plain, inline)]

> And in particular there is a candidate patch at
> 
>
<http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html#e
xim-dev>
> 
> (although sadly I can't see how to get it to render in a fixed-width
font).
 

 

Check the source to that page; remove a few <br> tags and replace some
&amp; entities and it looks good.

 

 

 

Robert de Bath

 

 

[Message part 2 (text/html, inline)]

Message #52 received at 606527@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: 606527@bugs.debian.org

Subject: root upgrade vulnerability in exim4

Date: Fri, 10 Dec 2010 17:13:42 +0000

> (although sadly I can't see how to get it to render in a fixed-width
> font).

http://bugs.exim.org/show_bug.cgi?id=1044

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation

Message #61 received at 606527@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: 606527@bugs.debian.org

Subject: status for squeeze

Date: Thu, 23 Dec 2010 19:11:29 +0100

[Message part 1 (text/plain, inline)]

user release.debian.org@packages.debian.org
usertag 606527 squeeze-can-defer
tag 606527 squeeze-ignore
kthxbye

This will most likely get fixed via security.d.o if it's not ready by
squeeze release, so tagging as can-defer.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #68 received at 606527-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 606527-close@bugs.debian.org

Subject: Bug#606527: fixed in exim4 4.72-3

Date: Sun, 26 Dec 2010 14:32:25 +0000

Source: exim4
Source-Version: 4.72-3

We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive:

exim4-base_4.72-3_i386.deb
  to main/e/exim4/exim4-base_4.72-3_i386.deb
exim4-config_4.72-3_all.deb
  to main/e/exim4/exim4-config_4.72-3_all.deb
exim4-daemon-heavy-dbg_4.72-3_i386.deb
  to main/e/exim4/exim4-daemon-heavy-dbg_4.72-3_i386.deb
exim4-daemon-heavy_4.72-3_i386.deb
  to main/e/exim4/exim4-daemon-heavy_4.72-3_i386.deb
exim4-daemon-light-dbg_4.72-3_i386.deb
  to main/e/exim4/exim4-daemon-light-dbg_4.72-3_i386.deb
exim4-daemon-light_4.72-3_i386.deb
  to main/e/exim4/exim4-daemon-light_4.72-3_i386.deb
exim4-dbg_4.72-3_i386.deb
  to main/e/exim4/exim4-dbg_4.72-3_i386.deb
exim4-dev_4.72-3_i386.deb
  to main/e/exim4/exim4-dev_4.72-3_i386.deb
exim4_4.72-3.debian.tar.gz
  to main/e/exim4/exim4_4.72-3.debian.tar.gz
exim4_4.72-3.dsc
  to main/e/exim4/exim4_4.72-3.dsc
exim4_4.72-3_all.deb
  to main/e/exim4/exim4_4.72-3_all.deb
eximon4_4.72-3_i386.deb
  to main/e/exim4/eximon4_4.72-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606527@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated exim4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sun, 26 Dec 2010 15:13:08 +0100
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy exim4-daemon-custom eximon4 exim4-dbg exim4-daemon-light-dbg exim4-daemon-heavy-dbg exim4-daemon-custom-dbg exim4-dev
Architecture: source i386 all
Version: 4.72-3
Distribution: unstable
Urgency: low
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description: 
 exim4      - metapackage to ease Exim MTA (v4) installation
 exim4-base - support files for all Exim MTA (v4) packages
 exim4-config - configuration for the Exim MTA (v4)
 exim4-daemon-custom - custom Exim MTA (v4) daemon with locally set features
 exim4-daemon-custom-dbg - debugging symbols for the Exim MTA (v4) packages
 exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac
 exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA (v4) packages
 exim4-daemon-light - lightweight Exim MTA (v4) daemon
 exim4-daemon-light-dbg - debugging symbols for the Exim MTA (v4) packages
 exim4-dbg  - debugging symbols for the Exim MTA (v4) packages
 exim4-dev  - header files for the Exim MTA (v4) packages
 eximon4    - monitor application for the Exim MTA (v4) (X11 interface)
Closes: 602188 606527
Changes: 
 exim4 (4.72-3) unstable; urgency=low
 .
   * [README.Debian*] Correct command for manual paniclog rotation. (Thanks,
     Jörg Sommer) Closes: #602188
   * 67_unnecessaryCopt.diff: Do not use exim's -C option in utility scripts.
     This would not work with ALT_CONFIG_PREFIX.
   * Pull changes related to fixing CVE-2010-4345 from exim 4.73 rc1.
     Closes: #606527
     + 1_cfile_norw_eximuid: Don't allow a configure file which is writeable by
       the Exim user or group.
     + 2_permcheck_configurefile: Check configure file permissions even for
       non-default files if still privileged.
     + 3_remove_ALT_CONFIG_ROOT_ONLY: Remove ALT_CONFIG_ROOT_ONLY build option,
       effectively making it always true.
     + 4_FD_CLOEXEC: Set FD_CLOEXEC on SMTP sockets after forking in the
       daemon, to ensure  that rogue child processes cannot use them.
     + 5_TRUSTED_CONFIG_LIST: Add TRUSTED_CONFIG_LIST compile option.
     + 6_nonroot_system_filter_user: If the system filter needs to be run as
       root, let that be explicitly configured.  The default is now the Exim
       run-time user.
     + 7_filter_D_option: Add a (compiletime) whitelist of acceptable values
       for the -D option.
     + 8_updatedocumentation: Update documentation to reflect the changes.
   * Build with WHITELIST_D_MACROS=OUTGOING. Post patch 7_filter_D_option exim
     will not regain root privileges (usually necessary for local delivery) if
     the -D option was used. Macro identifiers listed in WHITELIST_D_MACROS are
     exempted from this restriction. mailscanner (4.79.11-2.2) uses -DOUTGOING.
   * Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. Post patch
     3_remove_ALT_CONFIG_ROOT_ONLY exim will not re-gain root privileges
     (usually necessary for local delivery) if the -C option was used. This
     makes it impossible to start a fully functional damon with an alternate
     configuration file. /etc/exim4/trusted_configs (can) contain a list of
     filenames (one per line, full path given) to which this restriction does
     not apply.
Checksums-Sha1: 
 5adc07d662b796afe1d2bdcc4a55704e072f95fc 1599 exim4_4.72-3.dsc
 f1768d16833e12623bc2d05ce88cf9ba10a91026 589819 exim4_4.72-3.debian.tar.gz
 5064035f0dcb5b6ddfa89912cce1098ea58023c3 1008536 exim4-base_4.72-3_i386.deb
 800008759aa27e3c7b59ef3a9e1d67271e74a2a6 187966 eximon4_4.72-3_i386.deb
 53896f96d9eca612299d8dba126827c15f44659f 548542 exim4-daemon-light_4.72-3_i386.deb
 ba3a14634ad81c089b40623ed0557afee4bd32af 597826 exim4-daemon-heavy_4.72-3_i386.deb
 3cdf684b7a97a13f5177ae0d8027661b6fcf90ac 809024 exim4-daemon-light-dbg_4.72-3_i386.deb
 d16efde7ddfefe00c2ce6e57541ef55d5bf29f27 896308 exim4-daemon-heavy-dbg_4.72-3_i386.deb
 c1fa1af8b09f111a2a66cb220d4332d2e8caca4b 354576 exim4-dbg_4.72-3_i386.deb
 7a33e6ae462329f52e1c92bbf44a1cad44107eb4 160182 exim4-dev_4.72-3_i386.deb
 e01f95b1ba9256da5d26505d6f6dcef6e499293e 463674 exim4-config_4.72-3_all.deb
 f449e882162f6ebab9267baaead22bb605a59107 7790 exim4_4.72-3_all.deb
Checksums-Sha256: 
 263e9b14a67e543d9a3323222e7f9fc3feb527b31f9bd2d13a0b39dccfd386f0 1599 exim4_4.72-3.dsc
 347f5614eabc68f193442f6c08f20e5fc54f140e3efeac19e450aea6b39705ce 589819 exim4_4.72-3.debian.tar.gz
 8ade151dacf3c085c1af0e9964b2a230f5d40204ed236362cb20ff040569be4e 1008536 exim4-base_4.72-3_i386.deb
 395e453a0ae5bf727a2694e086429d491325cf87c9fb50802331ec191cb12ebf 187966 eximon4_4.72-3_i386.deb
 93f0a4ccfa196e518bfdb299fa628cf0fa606fba5ccc90671777746ec058d76a 548542 exim4-daemon-light_4.72-3_i386.deb
 19c5b2141661113e0c2848d45f0b88ce1eab23cdc85aa591184542fe90f505eb 597826 exim4-daemon-heavy_4.72-3_i386.deb
 5a242d4400e90be0d496b08e5784e726405a0ad124426f948fb6f31b8a940c2f 809024 exim4-daemon-light-dbg_4.72-3_i386.deb
 5b8bda30c8ef621926a0709d86ed1542715fd3800efd8f682fb9fe1d130b520d 896308 exim4-daemon-heavy-dbg_4.72-3_i386.deb
 79a9951a0ee092adbdde55caa2ea5acd21789dff7ffbc4253412e6eaed2b933e 354576 exim4-dbg_4.72-3_i386.deb
 d7511da8e0d3a9e7c733acdf782b6969b9c81ffa298928f34c8f3a55e82c7501 160182 exim4-dev_4.72-3_i386.deb
 91de7ebc3779bfebdba0279ab1a351a66101372c856b30bd03e8335814c98b1d 463674 exim4-config_4.72-3_all.deb
 b460b56bd5e0eb69abbddb7272e77619a028ce4224b3f93fac10f7fa47d0746e 7790 exim4_4.72-3_all.deb
Files: 
 7f445c97856d075524c35da09e2e2607 1599 mail standard exim4_4.72-3.dsc
 c3ff1a8f6473d019895b7515a30d59d9 589819 mail standard exim4_4.72-3.debian.tar.gz
 f26c3097bfad7b2bc5bf01f7f2c58374 1008536 mail standard exim4-base_4.72-3_i386.deb
 072f9f3df6f018ef51c0d9820324e2e3 187966 mail optional eximon4_4.72-3_i386.deb
 6ee41e897f472d8f446e4f7c18df895f 548542 mail standard exim4-daemon-light_4.72-3_i386.deb
 e6327fa723325d2fa06a751a9613b086 597826 mail optional exim4-daemon-heavy_4.72-3_i386.deb
 471a0b055c3ecb64eb6209dea236ce8d 809024 debug extra exim4-daemon-light-dbg_4.72-3_i386.deb
 120555378f5aa9d1d4910b2d5bacd5ea 896308 debug extra exim4-daemon-heavy-dbg_4.72-3_i386.deb
 a607a85556956f49385a2aac2151bc88 354576 debug extra exim4-dbg_4.72-3_i386.deb
 0bd77898a529ddd85fb908b10049f149 160182 mail extra exim4-dev_4.72-3_i386.deb
 d025a0797b0c83b3882c5b39c621f303 463674 mail standard exim4-config_4.72-3_all.deb
 3c751f08fe2f8026316997296505a32d 7790 mail standard exim4_4.72-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAk0XT4YACgkQHTOcZYuNdmNyqQCgooiK7YLV4Dk/Fiu5BIT/F3qE
k48AoK0/btuvP+I+C7D8nItBZ3L/Jz79
=T8dX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.