Quoting $URL by Dan Rosenberg:
Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).
1. When Exim is used with a world-writable mail directory with the sticky-bit
set, local users may create hard links to other non-root users' files at the
expected location of those users' mailboxes, causing their files to be written
to upon mail delivery. This could be used to create denial-of-service
conditions or potentially escalate privileges to those of targeted users. This
issue has been assigned CVE-2010-2023.
2. When MBX locking is enabled, local users may exploit a race condition to
change permissions of other non-root users' files, leading to denial-of-service
conditions or potentially privilege escalation, or to create new files owned by
other users in unauthorized locations. This issue has been assigned
Exim has released a new version, 4.72, available for download at
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz. Vulnerable users are
advised to download and recompile from source, or request updated packages from
I'll try to put exim-4.72 in the tree today or tomorrow.
Updated package is in the tree. Grobian will be testing it for a few days and report back.
It runs smoothly for me here. I haven't seen any irregularities, feels good to me.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Tested on x86, looks good over here.
x86 stable, thanks Andreas!
Stable for HPPA.
transports/appendfile.c in Exim before 4.72, when a world-writable
sticky-bit mail directory is used, does not verify the st_nlink field
of mailbox files, which allows local users to cause a denial of
service or possibly gain privileges by creating a hard link to
another user's file.
transports/appendfile.c in Exim before 4.72, when MBX locking is
enabled, allows local users to change permissions of arbitrary files
or create arbitrary files, and cause a denial of service or possibly
gain privileges, via a symlink attack on a lockfile in /tmp/.
@amd64: please stabilise exim-4.72. I'm running amd64 (without issues), so you should be good to go.
Markus: see bug 325645 : it does not build on AMD64 for me.
Marked ppc stable.
glsa request filed.
The remote code exec bug is fixed in >=4.70 (http://bugs.exim.org/show_bug.cgi?id=787) but was initially not regarded as a security problem according to heise.
@net-mail: please punt <4.70.
versions <4.70 dropped
This issue was resolved and addressed in
GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).