Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576582 (CVE-2016-1531)

Summary: <mail-mta/exim-4.87: Local privilege escalation for set-uid root exim when using perl_startup (CVE-2016-1531)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexander, bertrand, grobian, net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1314293
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 563478, 585212    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-03-06 11:37:35 UTC
From ${URL} :

Privilege escalation vulnerability was found in all installations having Exim set-uid root and using 
'perl_startup'. Any user who can start an instance of Exim can gain root privileges.

https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Fabian Groffen gentoo-dev 2016-03-06 19:37:13 UTC
I'm testing it now.  I was busy on bug #563478 to get keywords due to a new dep.

Anyway, I think when USE=-perl, it should be safe (as per linked ML-message), even though Exim will warn about *_environment vars not being set.

To speed up #563478, we could mask the new dep/use-flag on missing archs.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-03-12 13:31:26 UTC
Added to existing GLSA request.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2016-04-02 19:33:11 UTC
(In reply to Fabian Groffen from comment #1)
> I'm testing it now.  I was busy on bug #563478 to get keywords due to a new
> dep.
> 
> Anyway, I think when USE=-perl, it should be safe (as per linked
> ML-message), even though Exim will warn about *_environment vars not being
> set.
> 
> To speed up #563478, we could mask the new dep/use-flag on missing archs.

Fabian,
Any News on this? This is a B1
Comment 4 Fabian Groffen gentoo-dev 2016-04-03 07:22:38 UTC
(In reply to Yury German from comment #3)
> (In reply to Fabian Groffen from comment #1)
> > I'm testing it now.  I was busy on bug #563478 to get keywords due to a new
> > dep.

testing 4.86.2 went fine, I think it's good to go from that perspective

> > To speed up #563478, we could mask the new dep/use-flag on missing archs.

I think this is the responsibility of the arch teams, but I could apply the mask if need be.

> Fabian,
> Any News on this? This is a B1

I'm sorry, btu I'm not familiar with the terminology here.  If you need something from me, please let me know!
Comment 5 Matthias Baur 2016-04-28 11:41:07 UTC
Any update on this?
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2016-06-05 21:34:26 UTC
Just pinged the arches for Keywording in Bug 563478
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2016-06-06 18:15:52 UTC
(In reply to Yury German from comment #6)
> Just pinged the arches for Keywording in Bug 563478

Fabian or the net-mail team.
There are two minor arches left. Can you please call for stabilization knowing that it will take some time for those arches (Hopefully not). I would call for stabilization but I am not sure what we are doing with arm arch.

With this being a B1 we should probably get a stable package for the major arches ASAP.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2016-06-06 18:40:31 UTC
Being Stabilized in Bug # 585212
=mail-mta/exim-4.87
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:20:13 UTC
This issue was resolved and addressed in
 GLSA 201607-12 at https://security.gentoo.org/glsa/201607-12
by GLSA coordinator Aaron Bauman (b-man).