Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 353352 (CVE-2011-0017) - <mail-mta/exim-4.74: privilege escalation vulnerability (CVE-2011-0017)
Summary: <mail-mta/exim-4.74: privilege escalation vulnerability (CVE-2011-0017)
Status: RESOLVED FIXED
Alias: CVE-2011-0017
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: ftp://ftp.exim.org/pub/exim/ChangeLog...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-31 23:01 UTC by Keath
Modified: 2014-01-27 12:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (exim.log,36.11 KB, text/plain)
2011-02-01 09:33 UTC, Agostino Sarubbo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Keath 2011-01-31 23:01:33 UTC
CVE-2011-0017 - check return value of setuid/setgid. This is a
      privilege escalation vulnerability whereby the Exim run-time user
      can cause root to append content of the attacker's choosing to
      arbitrary files.


Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-02-01 04:18:37 UTC
(In reply to comment #0)
> CVE-2011-0017 - check return value of setuid/setgid. This is a
>       privilege escalation vulnerability whereby the Exim run-time user
>       can cause root to append content of the attacker's choosing to
>       arbitrary files.
> 
> 
> Reproducible: Always
> 

Thanks for the report, Keath.
Comment 2 Fabian Groffen gentoo-dev 2011-02-01 08:05:50 UTC
4.74 in the tree now, thanks
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-01 08:18:39 UTC
Excellent. Arches, please stabilize =mail-mta/exim-4.74
Comment 4 Agostino Sarubbo gentoo-dev 2011-02-01 09:33:34 UTC
Created attachment 261222 [details]
Build log

fails for me
Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-01 09:44:30 UTC
(In reply to comment #4)
> Created an attachment (id=261222) [details]
> Build log
> 
> fails for me
Yeah, that's very funny pkg and for me that's ^^ 4th unique failure. I've also hit bug 287426, bug 352265 and as-needed failure with USE="sqlite". Apparently these are not regressions, so we could stable it. However, I'd rather see this package fixed (at least linking issues with dl and improper use of LDFLAGS) before stabilization or pmasked and dropped.

Comment 6 Fabian Groffen gentoo-dev 2011-02-01 10:11:52 UTC
Dropping exim is not an option, so suggesting that shows little to no respect IMO.

Please open up bug(s) for your compilation problems, so we don't pollute this security bug with all of this.

Thanks.
Comment 7 Jeroen Roovers gentoo-dev 2011-02-01 21:33:06 UTC
Stable for HPPA.
Comment 8 Andreas Schürch gentoo-dev 2011-02-02 09:23:00 UTC
I tested =mail-mta/exim-4.74-r1 on x86 and this one looks really good to go for me.

The only thing left that would be nice, would be that exim-acl should get auto-enabled if spf and/or srs is enabled, instead of just dying. (I just stumbled upon the last comment from Thomas Kahle over at bug #343221 a few mionutes ago! ;-)


Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-02 10:06:41 UTC
ppc/ppc64 stable
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-04 23:24:41 UTC
stable x86, thanks Andreas
Comment 11 Tobias Klausmann gentoo-dev 2011-02-05 20:17:50 UTC
Stable on alpha.
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2011-02-10 22:22:47 UTC
amd64 done. Thanks Agostino
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2011-02-12 17:14:56 UTC
ia64/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 18:31:44 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 Fabian Groffen gentoo-dev 2011-05-08 09:40:21 UTC
all versions <4.74 have been dropped from the tree

@security: please close this bug
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:34:59 UTC
CVE-2011-0017 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0017):
  The open_log function in log.c in Exim 4.72 and earlier does not check the
  return value from (1) setuid or (2) setgid system calls, which allows local
  users to append log data to arbitrary files via a symlink attack.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 12:37:07 UTC
This issue was resolved and addressed in
 GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).