Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198379 (CVE-2007-1659) - mail-mta/exim <4.69 Multiple issues in embedded PCRE (CVE-2007-16{59,60,61,62}, CVE-2007-47{66,67,68})
Summary: mail-mta/exim <4.69 Multiple issues in embedded PCRE (CVE-2007-16{59,60,61,62...
Status: RESOLVED INVALID
Alias: CVE-2007-1659
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27543/
Whiteboard: C2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-07 17:18 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-24 18:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 17:18:42 UTC
Exim ships a copy of PCRE which is be vulnerable to several security issues as pointed out in bug #198198.

Lowest curent stable for amd64 and others is:
4.60-r1: PCRE Version 6.2
4.68: Version 7.2

PCRE 7.3 fixes the issues mentioned. Exim has no newer version shipping it, and I did not find any code repository. We could either merge PCRE 7.3 into any Exim version (preferably 4.67 or 4.68) or wait for upstream to release a new bundle.

Colin and Net-Mail, please advise.
Comment 1 Colin Morey (RETIRED) gentoo-dev 2007-11-08 18:41:30 UTC
I Don't like the idea of deviating away from the upstream practice of bundling their own PCRE.

also due to how exim uses PCRE, it would require an admin to explicitly code a fault regex in the main config to affect the whole system, otherwise it's limited to running as a user when called in a user's filter.

feel free to correct me if you find out anything further, but for now, i'm going to get 4.68 stable and try and track upstream a little more tightly.


Cheers,

Colin
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-09 09:45:31 UTC
Sounds reasonable, but please notify upstream about the issues, maybe they'll release a maintenance update.
Comment 3 Colin Morey (RETIRED) gentoo-dev 2007-11-09 16:50:19 UTC
Upstream is where I got the impact information from :)
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-14 15:38:54 UTC
Any news here? Even with just user privs, this could result in a user assisted attack, so it should be fixed...
Comment 5 Colin Morey (RETIRED) gentoo-dev 2007-12-18 23:07:52 UTC
Well, I could attempt to back port from current CVS, but i'm not sure i'm going to have the time before upstream release a new version, (the last I heard the new maintainer was having some issues with the test harness).

I've just gotten back from a work trip (and a 4.5hr drive), so I'll have another think on this tomorrow evening and see how do-able releasing a -r1 with the cvs tree commit would be.  

the exploit would only be user -> user, ie if user A wrote a bad expression, user B could only get to user A.
Comment 6 Colin Morey (RETIRED) gentoo-dev 2008-01-10 20:25:18 UTC
Exim-4.69 has been announced and will be in the tree this weekend.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 22:47:49 UTC
(In reply to comment #6)
> Exim-4.69 has been announced and will be in the tree this weekend.
> 

oops, sorry for the lag :/
 net-mail, next time could you please post on the bug once the ebuild is commited? we have too much bugs to handle to remember this kind of things...
Anyway, arches, please test and mark stable mail-mta/exim-4.69.
Target "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 8 Brent Baude (RETIRED) gentoo-dev 2008-03-05 00:48:55 UTC
ppc64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 19:41:51 UTC
ppc stable, re-adding ppc64 - you're keyword's still missing
Comment 10 Brent Baude (RETIRED) gentoo-dev 2008-03-05 20:03:44 UTC
ppc64 done; double checked.  good find.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 20:37:56 UTC
bleh, forgot to uncc ppc@
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-06 07:55:01 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-03-06 12:07:49 UTC
alpha/ia64/sparc stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-07 13:29:52 UTC
Stable for HPPA.
Comment 15 Steve Dibb (RETIRED) gentoo-dev 2008-03-07 16:39:15 UTC
amd64 stable
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2008-03-09 10:14:11 UTC
Fixed in release snapshot.
Comment 17 Colin Morey (RETIRED) gentoo-dev 2008-03-09 11:04:46 UTC
Ah sorry, I should have announced the actual commit, my bad.
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-10 20:31:18 UTC
Request filed.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 18:38:50 UTC
Further assessment of this bug has lead us to believe there is no exploitability vector. There are no trust boundaries crossed when a user has code executed with his privileges by installing a mail filter. A user can and has to review such a file before installing it, so an attacker tricking someone into it is not a vulnerability.