Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 693494 (CVE-2019-15846)

Summary: <mail-mta/exim-4.92.2: privilege escalation (CVE-2019-15846)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: bertrand, grobian, himbeere, jaco, marat, scott
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: A2 [stable glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 692394    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-09-04 15:45:42 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-09-04 15:47:42 UTC
From $URL:
CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
Details:    Will be made public at CRD. Currently there is no known
            exploit, but a rudimentary POC exists.

Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC

Proposed Timeline

    - initial notification to and

2019-09-04: <-- NOW
    - This Heads-up notice to,, and

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Notice to oss-security, exim-users, and exim-announce
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD (not yet)

The downloads are not yet available. They will be made available
at the above mentioned CRD.
Comment 2 Larry the Git Cow gentoo-dev 2019-09-06 13:18:00 UTC
The bug has been referenced in the following commit(s):

commit 5c1968d993330fcd3d593e014de4d7eccfd05872
Author:     Thomas Deutschmann <>
AuthorDate: 2019-09-06 13:16:23 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2019-09-06 13:17:49 +0000

    mail-mta/exim: bump to v4.92.2 (CVE-2019-15846)
    Ebuild changes:
    - EAPI bumped to EAPI=7
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <>

 mail-mta/exim/Manifest           |   2 +
 mail-mta/exim/exim-4.92.2.ebuild | 582 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 584 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-09-06 15:38:41 UTC
Added to an existing GLSA.
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-09-07 00:22:25 UTC
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-09-07 00:25:29 UTC
This issue was resolved and addressed in
 GLSA 201909-06 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-09-07 00:26:14 UTC
Re-opening for remaining architectures.
Comment 7 Sergei Trofimovich gentoo-dev 2019-09-08 18:47:20 UTC
ppc/ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-09-09 05:56:11 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-09-09 06:04:18 UTC
sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-13 15:41:42 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-09-13 17:27:55 UTC
ia64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-09-20 06:53:52 UTC
hppa stable
Comment 13 Marat Radchenko 2019-10-01 14:00:15 UTC
I cannot find an issue for CVE-2019-16928. Is it hidden or doesn't exist at all?
Comment 14 Fabian Groffen gentoo-dev 2019-10-01 16:23:08 UTC
the CVE isn't this bug, but here's the email I copied it's number from for 4.92.3:
Comment 15 Matt Turner gentoo-dev 2019-10-14 02:18:44 UTC
alpha stable

all arches done