Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 322665 (CVE-2010-2023)

Summary: <mail-mta/exim-4.72: DoS/PrivEsc ('hardlink' vulnerability) (CVE-2010-{2023,2024})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dhp_gentoo, grobian, net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/fulldisclosure/2010/Jun/88
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 325645    
Bug Blocks:    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-03 18:37:15 UTC 
Quoting $URL by Dan Rosenberg:

Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).

1. When Exim is used with a world-writable mail directory with the sticky-bit
set, local users may create hard links to other non-root users' files at the
expected location of those users' mailboxes, causing their files to be written
to upon mail delivery.  This could be used to create denial-of-service
conditions or potentially escalate privileges to those of targeted users.  This
issue has been assigned CVE-2010-2023.

2. When MBX locking is enabled, local users may exploit a race condition to
change permissions of other non-root users' files, leading to denial-of-service
conditions or potentially privilege escalation, or to create new files owned by
other users in unauthorized locations.  This issue has been assigned
CVE-2010-2024.

==Solution==

Exim has released a new version, 4.72, available for download at
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz.  Vulnerable users are
advised to download and recompile from source, or request updated packages from
downstream distributions.
Comment 1 Fabian Groffen gentoo-dev 2010-06-03 19:05:02 UTC 
I'll try to put exim-4.72 in the tree today or tomorrow.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-03 19:32:03 UTC 
Updated package is in the tree. Grobian will be testing it for a few days and report back.
Comment 3 Fabian Groffen gentoo-dev 2010-06-05 05:50:19 UTC 
It runs smoothly for me here.  I haven't seen any irregularities, feels good to me.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-08 19:02:11 UTC 
Arches, please test and mark stable:
=mail-mta/exim-4.72
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Andreas Schürch gentoo-dev 2010-06-09 12:56:33 UTC 
Tested on x86, looks good over here.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-09 13:13:43 UTC 
x86 stable, thanks Andreas!
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-10 01:47:15 UTC 
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-06-13 14:19:49 UTC 
alpha/ia64/sparc stable
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:31:11 UTC 
CVE-2010-2023 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2023):
  transports/appendfile.c in Exim before 4.72, when a world-writable
  sticky-bit mail directory is used, does not verify the st_nlink field
  of mailbox files, which allows local users to cause a denial of
  service or possibly gain privileges by creating a hard link to
  another user's file.

CVE-2010-2024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2024):
  transports/appendfile.c in Exim before 4.72, when MBX locking is
  enabled, allows local users to change permissions of arbitrary files
  or create arbitrary files, and cause a denial of service or possibly
  gain privileges, via a symlink attack on a lockfile in /tmp/.
Comment 10 Fabian Groffen gentoo-dev 2010-06-21 06:38:50 UTC 
@amd64: please stabilise exim-4.72.  I'm running amd64 (without issues), so you should be good to go.
Comment 11 Markus Meier gentoo-dev 2010-06-21 20:35:04 UTC 
amd64 stable
Comment 12 DEMAINE Benoît-Pierre, aka DoubleHP 2010-06-26 01:00:29 UTC 
Markus: see bug 325645 : it does not build on AMD64 for me.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2010-07-08 20:23:02 UTC 
ppc64 done
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2010-07-18 20:49:35 UTC 
Marked ppc stable.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:31:07 UTC 
glsa request filed.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2010-12-11 16:55:56 UTC 
The remote code exec bug is fixed in >=4.70 (http://bugs.exim.org/show_bug.cgi?id=787) but was initially not regarded as a security problem according to heise.

@net-mail: please punt <4.70.
Comment 17 Fabian Groffen gentoo-dev 2010-12-11 22:10:25 UTC 
versions <4.70 dropped
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 12:37:02 UTC 
This issue was resolved and addressed in
 GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).