Summary: | <mail-mta/exim-4.89-r5: Multiple vulnerabilities including possible RCE | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Fabian Groffen <grobian> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | bertrand, grobian, himbeere |
Priority: | High | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html | ||
See Also: |
https://bugs.exim.org/show_bug.cgi?id=21990 https://bugs.exim.org/show_bug.cgi?id=2201 |
||
Whiteboard: | A1 [glsa+ cve] | ||
Package list: |
=mail-mta/exim-4.89-r5
|
Runtime testing required: | --- |
Description
Fabian Groffen
2017-11-25 09:17:50 UTC
Thanks, Phil also mentioned this on oss-sec http://www.openwall.com/lists/oss-security/2017/11/25/2: Date: Fri, 24 Nov 2017 22:59:12 -0500 From: Phil Pennock <oss-security-phil@...dhuis.org> To: oss-security@...ts.openwall.com Subject: RCE in Exim reported In Post-Thanksgiving mail-catchup, I see that the Exim Project was gifted with a couple of surprises in our public bugtracker on Thursday morning. Complete with proof-of-concept small Python script. I've requested CVEs, don't have them yet. My mail to our announce list: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html Remote code execution in the first vulnerability, getting execution as the Exim run-time user. A complete mitigation is to disable advertising the CHUNKING extension, in which case an attempt to use the BDAT verb should result in: 503 BDAT command used when CHUNKING not advertised The instructions I wrote in the mail to our announce-list, were: } With immediate effect, please apply this workaround: if you are running } Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main } section of your Exim configuration, set: } } chunking_advertise_hosts = } } That's an empty value, nothing on the right of the equals. This } disables advertising the ESMTP CHUNKING extension, making the BDAT verb } unavailable and avoids letting an attacker apply the logic. Chunking support was introduced with Exim 4.88; the current release is 4.89, 4.90 is in RC series now, it looks like a 2-line fix (written by Jeremy Harris) is probably right for the first issue. Public bugtracker links: https://bugs.exim.org/show_bug.cgi?id=2199 https://bugs.exim.org/show_bug.cgi?id=2201 -Phil The latest report says that their PoC patch seems to mitigate the issue, that said I'll wait a bit for that to see if it can be used straight away. bugs.exim.org/2199 : Use-after-free remote-code-execution CVE-2017-16943 bugs.exim.org/2201 : stack-exhaustion remote DoS CVE-2017-16944 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b23d30e4db6a6e345bca3fb0a47321598aab306 commit 1b23d30e4db6a6e345bca3fb0a47321598aab306 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2017-11-26 13:40:28 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2017-11-26 13:40:28 +0000 mail-mta/exim: add patch for CVE-2017-16943, bug #638772 Bug: https://bugs.gentoo.org/638772 Package-Manager: Portage-2.3.13, Repoman-2.3.3 mail-mta/exim/Manifest | 6 +- mail-mta/exim/exim-4.89-r4.ebuild | 531 +++++++++++++++++++++ mail-mta/exim/files/exim-4.89-CVE-2017-16943.patch | 40 ++ 3 files changed, 574 insertions(+), 3 deletions(-)} The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7434ec7eeb4b4be5cd53cebba9576f940b076e9 commit e7434ec7eeb4b4be5cd53cebba9576f940b076e9 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2017-11-29 08:50:07 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2017-11-29 08:50:07 +0000 mail-mta/exim: add patch for CVE-2017-16944, bug #638772 Original patch is slightly adjusted to the 4.98 codebase in order to apply. Bug: https://bugs.gentoo.org/638772 Package-Manager: Portage-2.3.13, Repoman-2.3.3 .../{exim-4.89-r4.ebuild => exim-4.89-r5.ebuild} | 1 + mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch | 57 ++++++++++++++++++++++ 2 files changed, 58 insertions(+)} @ Arches, please test and mark stable: =mail-mta/exim-4.89-r5 x86 stable FYI: 4.89.1 which is now in the tree includes: - CVE-2017-1000369 - CVE-2017-10140 (BDB) - CVE-2017-16943 - CVE-2017-16944 all but the BDB fix are in 4.89-r5. Stable on alpha. hppa/ia64/ppc/ppc64 stable amd64 stable ommit 2c7dd6a3fcdbbeb168172f6a9cedd1ce59d9c217 (HEAD -> master, origin/master, origin/HEAD) Author: Rolf Eike Beer <eike@sf-mail.de> Date: Tue Feb 6 22:27:46 2018 +0100 mail-mta/exim: stable 4.89-r5 for sparc, bug #638772 @maintainer(s), please clean the vulnerable versions from the tree. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc317cd39ecf7b89bb4cf9de05000e52f59110e commit 1bc317cd39ecf7b89bb4cf9de05000e52f59110e Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2018-02-07 07:41:09 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2018-02-07 07:41:09 +0000 mail-mta/exim: drop vulnerable version, bug #638772 Bug: https://bugs.gentoo.org/638772 Package-Manager: Portage-2.3.19, Repoman-2.3.6 mail-mta/exim/exim-4.89-r1.ebuild | 529 -------------------------------------- 1 file changed, 529 deletions(-)} GLSA request filed. This issue was resolved and addressed in GLSA 201803-01 at https://security.gentoo.org/glsa/201803-01 by GLSA coordinator Thomas Deutschmann (whissi). |