Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622212 (CVE-2017-1000369)

Summary: <mail-mta/exim-4.89-r1: Local privilege escalation via multiple "-p" command line arguments (CVE-2017-1000369)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: alexander, grobian, net-mail+disabled, slyfox, sudormrfhalt
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa cve]
Package list:
mail-mta/exim-4.89-r1
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-19 15:07:42 UTC 
CVE-2017-1000369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000369):
  Exim supports the use of multiple "-p" command line arguments which are
  malloc()'ed and never free()'ed, used in conjunction with other issues
  allows attackers to cause arbitrary code execution. This affects exim
  version 4.89. Please note that at this time upstream has released a patch
  but does not plan a new release to address this issue.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-19 15:10:49 UTC 
Upstream patch: https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-19 16:08:26 UTC 
Fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81618852a1f9d12b4aeea8a85b9d0f37f81f05b9


@ Arches,

please test and mark stable: =mail-mta/exim-4.89-r1
Comment 3 Fabian Groffen gentoo-dev 2017-06-19 19:11:27 UTC 
FWIW, as maintainer, ok, 4.89 is good to go stable, runs for a while without issues on my systems.
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-20 05:07:39 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-20 07:04:00 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:06:55 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:19:45 UTC 
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-24 21:08:47 UTC 
ia64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-26 20:19:47 UTC 
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:24 UTC 
sparc stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:28:28 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 01:31:39 UTC 
New GLSA Request filed.

@hppa please finish stabilization, this stabilization request has been opened since two months ago.

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:50:06 UTC 
This issue was resolved and addressed in
 GLSA 201709-19 at https://security.gentoo.org/glsa/201709-19
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 15:50:45 UTC 
re-opened for cleanup
Comment 15 Fabian Groffen gentoo-dev 2017-09-25 07:35:50 UTC 
Cleaned up as much as possible, left exim-4.88 in the key with only hppa's stable keyword.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2017-10-01 23:05:04 UTC 
Slyfox: 
Can you please stabilize or drop keywords for hppa for this, as it is preventing cleanup.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-05 13:16:16 UTC 
hppa stable
Comment 18 Fabian Groffen gentoo-dev 2017-10-05 13:41:01 UTC 
cleaned up 4.88
Comment 19 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 16:08:06 UTC 
Thank you all.

Gentoo Security Padawan
ChrisADR