|Summary:||<mail-mta/exim-4.92: remote command execution in deliver_message() function in /src/deliver.c (CVE-2019-10149)|
|Product:||Gentoo Security||Reporter:||GLSAMaker/CVETool Bot <glsamaker>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||alexander, grobian, mgorny|
|Whiteboard:||A2 [glsa+ cve]|
|Runtime testing required:||---|
Description GLSAMaker/CVETool Bot 2019-06-04 12:06:59 UTC
Comment 1 Thomas Deutschmann 2019-06-04 12:09:54 UTC
CVE-2019-10149 Exim 4.87 to 4.91 ================================ We received a report of a possible remote exploit. Currently there is no evidenice of an active use of this exploit. A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better. Exim 4.92 is not vulnerable. Next steps: * t0: Distros will get access to our non-public security Git repo (access is granted based on the SSH keys that are known to us) * t0+7d: Coordinated Release Date: Distros should push the patched version to their repos. The Exim maintainers will publish the fixed source to the official and public Git repo. t0 is expected to be 2019-06-04, 10:00 UTC t0+7d is expected to be 2019-06-04, 10:00 UTC Timeline -------- * 2019-05-27 Report from Qualys to exim-security list * 2019-05-27 Patch provided by Jeremy Harris * 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat * 2019-06-03 This announcement
Comment 2 Hanno Böck 2019-06-04 13:57:08 UTC
To clarify this: Details of the vulnerability are not public yet (will be in ~1week), but it seems the latest version 4.92 is unaffected (which seems to be by coincidence, because this version is older than the discovery of the vuln). We already have 4.92 in the tree, so stabilizing that gives us an option to protect users without knowing the details of the vuln. @maintainers: Can we go on with stabilizing?
Comment 3 Fabian Groffen 2019-06-04 13:59:45 UTC
yes, 4.92 runs for a while on my servers, it's ready to go stable IMO.
Comment 4 Thomas Deutschmann 2019-06-04 15:57:42 UTC
Like discussed with maintainer, Gentoo will move to >=mail-mta/exim-4.92. @ Arches, please test and mark stable: =mail-mta/exim-4.92
Comment 5 Thomas Deutschmann 2019-06-04 17:19:48 UTC
Comment 6 Agostino Sarubbo 2019-06-04 18:56:29 UTC
Comment 7 Agostino Sarubbo 2019-06-05 06:51:03 UTC
Comment 8 Agostino Sarubbo 2019-06-05 07:15:24 UTC
Comment 9 Thomas Deutschmann 2019-06-05 17:27:53 UTC
From Qualys Security Advisory: ======================================================================== Summary ======================================================================== During a code review of the latest changes in the Exim mail server (https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved. This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist. Exim is vulnerable by default since version 4.87 (released on April 6, 2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on February 10, 2019): https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb86c90b13d8203c7ecf26 https://bugs.exim.org/show_bug.cgi?id=2310 but was not identified as a security vulnerability, and most operating systems are therefore affected. For example, we exploit an up-to-date Debian distribution (9.9) in this advisory.
Comment 10 Thomas Deutschmann 2019-06-05 17:36:53 UTC
New GLSA request filed.
Comment 11 Rolf Eike Beer 2019-06-05 17:56:41 UTC
Comment 12 Agostino Sarubbo 2019-06-06 06:55:36 UTC
Comment 13 GLSAMaker/CVETool Bot 2019-06-06 17:33:01 UTC
This issue was resolved and addressed in GLSA 201906-01 at https://security.gentoo.org/glsa/201906-01 by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Thomas Deutschmann 2019-06-06 17:33:34 UTC
Re-opening for remaining arches.
Comment 15 Rolf Eike Beer 2019-06-06 20:39:17 UTC
Comment 16 Agostino Sarubbo 2019-06-08 18:21:27 UTC
Comment 17 Markus Meier 2019-06-13 04:28:36 UTC
arm stable, all arches done.
Comment 18 zain david 2019-07-31 01:30:25 UTC
Comment 19 Aaron Bauman 2019-08-02 00:41:34 UTC
@maintainer(s), please clean.
Comment 20 Larry the Git Cow 2019-08-02 06:44:32 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0 commit e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0 Author: Fabian Groffen <firstname.lastname@example.org> AuthorDate: 2019-08-02 06:42:47 +0000 Commit: Fabian Groffen <email@example.com> CommitDate: 2019-08-02 06:42:47 +0000 mail-mta/exim: cleanup vulnerable CVE-2019-10149 Bug: https://bugs.gentoo.org/687336 Package-Manager: Portage-2.3.66, Repoman-2.3.16 Signed-off-by: Fabian Groffen <firstname.lastname@example.org> mail-mta/exim/Manifest | 2 - mail-mta/exim/exim-4.91-r2.ebuild | 561 --------------------- .../exim/files/exim-4.74-localscan_dlopen.patch | 262 ---------- 3 files changed, 825 deletions(-)
Comment 22 Michał Górny 2020-01-22 13:28:11 UTC
Comment 24 Michał Górny 2020-03-28 06:52:00 UTC