| Summary: | <mail-mta/exim-4.98.2: use-after-free is possible (CVE-2025-30232) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Vladimir Varlamov <bes.internal> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | ajak, bes.internal, grobian, jasmin+gentoo |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://exim.org/static/doc/security/CVE-2025-30232.txt | ||
| Whiteboard: | C2 [stable?] | ||
| Package list: | Runtime testing required: | --- | |
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f99d3ec97d00fbf7938720e294e3a40b54e76a3 commit 1f99d3ec97d00fbf7938720e294e3a40b54e76a3 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2025-04-05 08:35:59 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2025-04-05 08:37:35 +0000 mail-mta/exim-4.98.2: version bump (CVE-2025-30232) Bug: https://bugs.gentoo.org/952139 Bug: https://bugs.gentoo.org/947916 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-mta/exim/Manifest | 2 ++ mail-mta/exim/{exim-4.98.ebuild => exim-4.98.2.ebuild} | 3 ++- mail-mta/exim/files/exim-4.98-tidydb-crash.patch | 16 ++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) |
# CVE 2025-30232 ## Details A use-after-free is possible, with potential for privilege escalation. The following conditions have to be met for being vulnerable: - Exim Version - 4.96 - 4.97 - 4.98 - 4.98.1 - Command-line access Reproducible: Always I found only patch in 4.98 branch maybe because 4.97 eol was 10 Jul 2024 (8 months ago): https://code.exim.org/exim/exim/commits/branch/exim-4.98+fixes https://code.exim.org/exim/exim/commit/4338bbe48a80dbfb7d75cbb8ac4789b02720f15e