Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 687336 (CVE-2019-10149) - <mail-mta/exim-4.92: remote command execution in deliver_message() function in /src/deliver.c (CVE-2019-10149)
Summary: <mail-mta/exim-4.92: remote command execution in deliver_message() function i...
Status: RESOLVED FIXED
Alias: CVE-2019-10149
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.exim.org/static/doc/securi...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-04 12:06 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-11 22:53 UTC (History)
2 users (show)

See Also:
Package list:
mail-mta/exim-4.92
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-06-04 12:06:59 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-06-04 12:09:54 UTC
CVE-2019-10149 Exim 4.87 to 4.91
================================

We received a report of a possible remote exploit.  Currently there is no
evidenice of an active use of this exploit.

A patch exists already, is being tested, and backported to all
versions we released since (and including) 4.87.

The severity depends on your configuration.  It depends on how close to
the standard configuration your Exim runtime configuration is. The
closer the better.

Exim 4.92 is not vulnerable.

Next steps:

* t0:    Distros will get access to our non-public security Git repo
         (access is granted based on the SSH keys that are known to us)

* t0+7d: Coordinated Release Date: Distros should push the patched
         version to their repos. The Exim maintainers will publish
         the fixed source to the official and public Git repo.

t0    is expected to be 2019-06-04, 10:00 UTC
t0+7d is expected to be 2019-06-04, 10:00 UTC


Timeline
--------

* 2019-05-27 Report from Qualys to exim-security list
* 2019-05-27 Patch provided by Jeremy Harris
* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat
* 2019-06-03 This announcement
Comment 2 Hanno Boeck gentoo-dev 2019-06-04 13:57:08 UTC
To clarify this: Details of the vulnerability are not public yet (will be in ~1week), but it seems the latest version 4.92 is unaffected (which seems to be by coincidence, because this version is older than the discovery of the vuln).

We already have 4.92 in the tree, so stabilizing that gives us an option to protect users without knowing the details of the vuln.

@maintainers: Can we go on with stabilizing?
Comment 3 Fabian Groffen gentoo-dev 2019-06-04 13:59:45 UTC
yes, 4.92 runs for a while on my servers, it's ready to go stable IMO.
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-06-04 15:57:42 UTC
Like discussed with maintainer, Gentoo will move to >=mail-mta/exim-4.92.

@ Arches,

please test and mark stable: =mail-mta/exim-4.92
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-06-04 17:19:48 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-06-04 18:56:29 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-06-05 06:51:03 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-06-05 07:15:24 UTC
ppc stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-06-05 17:27:53 UTC
From Qualys Security Advisory:

========================================================================
Summary
========================================================================

During a code review of the latest changes in the Exim mail server
(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability
in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means
Remote *Command* Execution, not Remote Code Execution: an attacker can
execute arbitrary commands with execv(), as root; no memory corruption
or ROP (Return-Oriented Programming) is involved.

This vulnerability is exploitable instantly by a local attacker (and by
a remote attacker in certain non-default configurations). To remotely
exploit this vulnerability in the default configuration, an attacker
must keep a connection to the vulnerable server open for 7 days (by
transmitting one byte every few minutes). However, because of the
extreme complexity of Exim's code, we cannot guarantee that this
exploitation method is unique; faster methods may exist.

Exim is vulnerable by default since version 4.87 (released on April 6,
2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled
manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019):

https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb86c90b13d8203c7ecf26
https://bugs.exim.org/show_bug.cgi?id=2310

but was not identified as a security vulnerability, and most operating
systems are therefore affected. For example, we exploit an up-to-date
Debian distribution (9.9) in this advisory.
Comment 10 Thomas Deutschmann gentoo-dev Security 2019-06-05 17:36:53 UTC
New GLSA request filed.
Comment 11 Rolf Eike Beer 2019-06-05 17:56:41 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-06-06 06:55:36 UTC
ia64 stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-06-06 17:33:01 UTC
This issue was resolved and addressed in
 GLSA 201906-01 at https://security.gentoo.org/glsa/201906-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Thomas Deutschmann gentoo-dev Security 2019-06-06 17:33:34 UTC
Re-opening for remaining arches.
Comment 15 Rolf Eike Beer 2019-06-06 20:39:17 UTC
hppa stable
Comment 16 Agostino Sarubbo gentoo-dev 2019-06-08 18:21:27 UTC
alpha stable
Comment 17 Markus Meier gentoo-dev 2019-06-13 04:28:36 UTC
arm stable, all arches done.
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-02 00:41:34 UTC
@maintainer(s), please clean.
Comment 20 Larry the Git Cow gentoo-dev 2019-08-02 06:44:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0

commit e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2019-08-02 06:42:47 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2019-08-02 06:42:47 +0000

    mail-mta/exim: cleanup vulnerable CVE-2019-10149
    
    Bug: https://bugs.gentoo.org/687336
    Package-Manager: Portage-2.3.66, Repoman-2.3.16
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest                             |   2 -
 mail-mta/exim/exim-4.91-r2.ebuild                  | 561 ---------------------
 .../exim/files/exim-4.74-localscan_dlopen.patch    | 262 ----------
 3 files changed, 825 deletions(-)