Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 693494 (CVE-2019-15846)

Summary: <mail-mta/exim-4.92.2: privilege escalation (CVE-2019-15846)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: bertrand, grobian, himbeere, jaco, marat, scott
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2019/09/04/1
Whiteboard: A2 [stable glsa+ cve]
Package list:
mail-mta/exim-4.92.2
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 692394    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-09-04 15:45:42 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-09-04 15:47:42 UTC
From $URL:
CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
            privileges.
Details:    Will be made public at CRD. Currently there is no known
            exploit, but a rudimentary POC exists.

Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC


Proposed Timeline
=================

2019-09-03:
    - initial notification to distros@...nwall.org and
      exim-maintainers@...m.org

2019-09-04: <-- NOW
    - This Heads-up notice to oss-security@...ts.openwall.com,
      exim-users@...m.org, and exim-announce@...m.org

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Notice to oss-security, exim-users, and exim-announce
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD (not yet)
=============================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.
Comment 2 Larry the Git Cow gentoo-dev 2019-09-06 13:18:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c1968d993330fcd3d593e014de4d7eccfd05872

commit 5c1968d993330fcd3d593e014de4d7eccfd05872
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-09-06 13:16:23 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-09-06 13:17:49 +0000

    mail-mta/exim: bump to v4.92.2 (CVE-2019-15846)
    
    Ebuild changes:
    - EAPI bumped to EAPI=7
    
    Bug: https://bugs.gentoo.org/693494
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-mta/exim/Manifest           |   2 +
 mail-mta/exim/exim-4.92.2.ebuild | 582 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 584 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-09-06 15:38:41 UTC
Added to an existing GLSA.
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-09-07 00:22:25 UTC
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-09-07 00:25:29 UTC
This issue was resolved and addressed in
 GLSA 201909-06 at https://security.gentoo.org/glsa/201909-06
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-09-07 00:26:14 UTC
Re-opening for remaining architectures.
Comment 7 Sergei Trofimovich gentoo-dev 2019-09-08 18:47:20 UTC
ppc/ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-09-09 05:56:11 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-09-09 06:04:18 UTC
sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-13 15:41:42 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-09-13 17:27:55 UTC
ia64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-09-20 06:53:52 UTC
hppa stable
Comment 13 Marat Radchenko 2019-10-01 14:00:15 UTC
I cannot find an issue for CVE-2019-16928. Is it hidden or doesn't exist at all?
Comment 14 Fabian Groffen gentoo-dev 2019-10-01 16:23:08 UTC
the CVE isn't this bug, but here's the email I copied it's number from for 4.92.3:
https://lists.exim.org/lurker/message/20190928.232024.589b2ef5.nl.html
Comment 15 Matt Turner gentoo-dev 2019-10-14 02:18:44 UTC
alpha stable

all arches done