CVE-2019-10149 Exim 4.87 to 4.91
We received a report of a possible remote exploit. Currently there is no
evidenice of an active use of this exploit.
A patch exists already, is being tested, and backported to all
versions we released since (and including) 4.87.
The severity depends on your configuration. It depends on how close to
the standard configuration your Exim runtime configuration is. The
closer the better.
Exim 4.92 is not vulnerable.
* t0: Distros will get access to our non-public security Git repo
(access is granted based on the SSH keys that are known to us)
* t0+7d: Coordinated Release Date: Distros should push the patched
version to their repos. The Exim maintainers will publish
the fixed source to the official and public Git repo.
t0 is expected to be 2019-06-04, 10:00 UTC
t0+7d is expected to be 2019-06-04, 10:00 UTC
* 2019-05-27 Report from Qualys to exim-security list
* 2019-05-27 Patch provided by Jeremy Harris
* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat
* 2019-06-03 This announcement
To clarify this: Details of the vulnerability are not public yet (will be in ~1week), but it seems the latest version 4.92 is unaffected (which seems to be by coincidence, because this version is older than the discovery of the vuln).
We already have 4.92 in the tree, so stabilizing that gives us an option to protect users without knowing the details of the vuln.
@maintainers: Can we go on with stabilizing?
yes, 4.92 runs for a while on my servers, it's ready to go stable IMO.
Like discussed with maintainer, Gentoo will move to >=mail-mta/exim-4.92.
please test and mark stable: =mail-mta/exim-4.92
From Qualys Security Advisory:
During a code review of the latest changes in the Exim mail server
(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability
in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means
Remote *Command* Execution, not Remote Code Execution: an attacker can
execute arbitrary commands with execv(), as root; no memory corruption
or ROP (Return-Oriented Programming) is involved.
This vulnerability is exploitable instantly by a local attacker (and by
a remote attacker in certain non-default configurations). To remotely
exploit this vulnerability in the default configuration, an attacker
must keep a connection to the vulnerable server open for 7 days (by
transmitting one byte every few minutes). However, because of the
extreme complexity of Exim's code, we cannot guarantee that this
exploitation method is unique; faster methods may exist.
Exim is vulnerable by default since version 4.87 (released on April 6,
2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled
manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019):
but was not identified as a security vulnerability, and most operating
systems are therefore affected. For example, we exploit an up-to-date
Debian distribution (9.9) in this advisory.
New GLSA request filed.
This issue was resolved and addressed in
GLSA 201906-01 at https://security.gentoo.org/glsa/201906-01
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining arches.
arm stable, all arches done.
very great post.
@maintainer(s), please clean.
The bug has been referenced in the following commit(s):
Author: Fabian Groffen <email@example.com>
AuthorDate: 2019-08-02 06:42:47 +0000
Commit: Fabian Groffen <firstname.lastname@example.org>
CommitDate: 2019-08-02 06:42:47 +0000
mail-mta/exim: cleanup vulnerable CVE-2019-10149
Package-Manager: Portage-2.3.66, Repoman-2.3.16
Signed-off-by: Fabian Groffen <email@example.com>
mail-mta/exim/Manifest | 2 -
mail-mta/exim/exim-4.91-r2.ebuild | 561 ---------------------
.../exim/files/exim-4.74-localscan_dlopen.patch | 262 ----------
3 files changed, 825 deletions(-)