Exim ships a copy of PCRE which is be vulnerable to several security issues as pointed out in bug #198198. Lowest curent stable for amd64 and others is: 4.60-r1: PCRE Version 6.2 4.68: Version 7.2 PCRE 7.3 fixes the issues mentioned. Exim has no newer version shipping it, and I did not find any code repository. We could either merge PCRE 7.3 into any Exim version (preferably 4.67 or 4.68) or wait for upstream to release a new bundle. Colin and Net-Mail, please advise.
I Don't like the idea of deviating away from the upstream practice of bundling their own PCRE. also due to how exim uses PCRE, it would require an admin to explicitly code a fault regex in the main config to affect the whole system, otherwise it's limited to running as a user when called in a user's filter. feel free to correct me if you find out anything further, but for now, i'm going to get 4.68 stable and try and track upstream a little more tightly. Cheers, Colin
Sounds reasonable, but please notify upstream about the issues, maybe they'll release a maintenance update.
Upstream is where I got the impact information from :)
Any news here? Even with just user privs, this could result in a user assisted attack, so it should be fixed...
Well, I could attempt to back port from current CVS, but i'm not sure i'm going to have the time before upstream release a new version, (the last I heard the new maintainer was having some issues with the test harness). I've just gotten back from a work trip (and a 4.5hr drive), so I'll have another think on this tomorrow evening and see how do-able releasing a -r1 with the cvs tree commit would be. the exploit would only be user -> user, ie if user A wrote a bad expression, user B could only get to user A.
Exim-4.69 has been announced and will be in the tree this weekend.
(In reply to comment #6) > Exim-4.69 has been announced and will be in the tree this weekend. > oops, sorry for the lag :/ net-mail, next time could you please post on the bug once the ebuild is commited? we have too much bugs to handle to remember this kind of things... Anyway, arches, please test and mark stable mail-mta/exim-4.69. Target "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
ppc64 stable
ppc stable, re-adding ppc64 - you're keyword's still missing
ppc64 done; double checked. good find.
bleh, forgot to uncc ppc@
x86 stable
alpha/ia64/sparc stable
Stable for HPPA.
amd64 stable
Fixed in release snapshot.
Ah sorry, I should have announced the actual commit, my bad.
Request filed.
Further assessment of this bug has lead us to believe there is no exploitability vector. There are no trust boundaries crossed when a user has code executed with his privileges by installing a mail filter. A user can and has to review such a file before installing it, so an attacker tricking someone into it is not a vulnerability.