Summary: | mail-mta/exim <4.69 Multiple issues in embedded PCRE (CVE-2007-16{59,60,61,62}, CVE-2007-47{66,67,68}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | net-mail+disabled, peitolm |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27543/ | ||
Whiteboard: | C2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-11-07 17:18:42 UTC
I Don't like the idea of deviating away from the upstream practice of bundling their own PCRE. also due to how exim uses PCRE, it would require an admin to explicitly code a fault regex in the main config to affect the whole system, otherwise it's limited to running as a user when called in a user's filter. feel free to correct me if you find out anything further, but for now, i'm going to get 4.68 stable and try and track upstream a little more tightly. Cheers, Colin Sounds reasonable, but please notify upstream about the issues, maybe they'll release a maintenance update. Upstream is where I got the impact information from :) Any news here? Even with just user privs, this could result in a user assisted attack, so it should be fixed... Well, I could attempt to back port from current CVS, but i'm not sure i'm going to have the time before upstream release a new version, (the last I heard the new maintainer was having some issues with the test harness). I've just gotten back from a work trip (and a 4.5hr drive), so I'll have another think on this tomorrow evening and see how do-able releasing a -r1 with the cvs tree commit would be. the exploit would only be user -> user, ie if user A wrote a bad expression, user B could only get to user A. Exim-4.69 has been announced and will be in the tree this weekend. (In reply to comment #6) > Exim-4.69 has been announced and will be in the tree this weekend. > oops, sorry for the lag :/ net-mail, next time could you please post on the bug once the ebuild is commited? we have too much bugs to handle to remember this kind of things... Anyway, arches, please test and mark stable mail-mta/exim-4.69. Target "alpha amd64 hppa ia64 ppc ppc64 sparc x86" ppc64 stable ppc stable, re-adding ppc64 - you're keyword's still missing ppc64 done; double checked. good find. bleh, forgot to uncc ppc@ x86 stable alpha/ia64/sparc stable Stable for HPPA. amd64 stable Fixed in release snapshot. Ah sorry, I should have announced the actual commit, my bad. Request filed. Further assessment of this bug has lead us to believe there is no exploitability vector. There are no trust boundaries crossed when a user has code executed with his privileges by installing a mail filter. A user can and has to review such a file before installing it, so an attacker tricking someone into it is not a vulnerability. |