Quoting $URL by Dan Rosenberg: Two vulnerabilities have been discovered in Exim 4, a popular mail transfer agent used on Unix-like systems (www.exim.org). 1. When Exim is used with a world-writable mail directory with the sticky-bit set, local users may create hard links to other non-root users' files at the expected location of those users' mailboxes, causing their files to be written to upon mail delivery. This could be used to create denial-of-service conditions or potentially escalate privileges to those of targeted users. This issue has been assigned CVE-2010-2023. 2. When MBX locking is enabled, local users may exploit a race condition to change permissions of other non-root users' files, leading to denial-of-service conditions or potentially privilege escalation, or to create new files owned by other users in unauthorized locations. This issue has been assigned CVE-2010-2024. ==Solution== Exim has released a new version, 4.72, available for download at ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz. Vulnerable users are advised to download and recompile from source, or request updated packages from downstream distributions.
I'll try to put exim-4.72 in the tree today or tomorrow.
Updated package is in the tree. Grobian will be testing it for a few days and report back.
It runs smoothly for me here. I haven't seen any irregularities, feels good to me.
Arches, please test and mark stable: =mail-mta/exim-4.72 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Tested on x86, looks good over here.
x86 stable, thanks Andreas!
Stable for HPPA.
alpha/ia64/sparc stable
CVE-2010-2023 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2023): transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. CVE-2010-2024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2024): transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.
@amd64: please stabilise exim-4.72. I'm running amd64 (without issues), so you should be good to go.
amd64 stable
Markus: see bug 325645 : it does not build on AMD64 for me.
ppc64 done
Marked ppc stable.
glsa request filed.
The remote code exec bug is fixed in >=4.70 (http://bugs.exim.org/show_bug.cgi?id=787) but was initially not regarded as a security problem according to heise. @net-mail: please punt <4.70.
versions <4.70 dropped
This issue was resolved and addressed in GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml by GLSA coordinator Mikle Kolyada (Zlogene).
