Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622212 (CVE-2017-1000369) - <mail-mta/exim-4.89-r1: Local privilege escalation via multiple "-p" command line arguments (CVE-2017-1000369)
Summary: <mail-mta/exim-4.89-r1: Local privilege escalation via multiple "-p" command ...
Status: RESOLVED FIXED
Alias: CVE-2017-1000369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-19 15:07 UTC by GLSAMaker/CVETool Bot
Modified: 2017-10-05 16:08 UTC (History)
5 users (show)

See Also:
Package list:
mail-mta/exim-4.89-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-19 15:07:42 UTC
CVE-2017-1000369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000369):
  Exim supports the use of multiple "-p" command line arguments which are
  malloc()'ed and never free()'ed, used in conjunction with other issues
  allows attackers to cause arbitrary code execution. This affects exim
  version 4.89. Please note that at this time upstream has released a patch
  but does not plan a new release to address this issue.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-06-19 15:10:49 UTC
Upstream patch: https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-19 16:08:26 UTC
Fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81618852a1f9d12b4aeea8a85b9d0f37f81f05b9


@ Arches,

please test and mark stable: =mail-mta/exim-4.89-r1
Comment 3 Fabian Groffen gentoo-dev 2017-06-19 19:11:27 UTC
FWIW, as maintainer, ok, 4.89 is good to go stable, runs for a while without issues on my systems.
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-20 05:07:39 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-20 07:04:00 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:06:55 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:19:45 UTC
ppc64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-06-24 21:08:47 UTC
ia64 stable
Comment 9 Tobias Klausmann gentoo-dev 2017-06-26 20:19:47 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:24 UTC
sparc stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:28:28 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 01:31:39 UTC
New GLSA Request filed.

@hppa please finish stabilization, this stabilization request has been opened since two months ago.

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:50:06 UTC
This issue was resolved and addressed in
 GLSA 201709-19 at https://security.gentoo.org/glsa/201709-19
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-24 15:50:45 UTC
re-opened for cleanup
Comment 15 Fabian Groffen gentoo-dev 2017-09-25 07:35:50 UTC
Cleaned up as much as possible, left exim-4.88 in the key with only hppa's stable keyword.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2017-10-01 23:05:04 UTC
Slyfox: 
Can you please stabilize or drop keywords for hppa for this, as it is preventing cleanup.
Comment 17 Sergei Trofimovich gentoo-dev 2017-10-05 13:16:16 UTC
hppa stable
Comment 18 Fabian Groffen gentoo-dev 2017-10-05 13:41:01 UTC
cleaned up 4.88
Comment 19 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 16:08:06 UTC
Thank you all.

Gentoo Security Padawan
ChrisADR