Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 693494 (CVE-2019-15846) - <mail-mta/exim-4.92.2: privilege escalation (CVE-2019-15846)
Summary: <mail-mta/exim-4.92.2: privilege escalation (CVE-2019-15846)
Status: RESOLVED FIXED
Alias: CVE-2019-15846
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2019-13917
  Show dependency tree
 
Reported: 2019-09-04 15:45 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-26 18:16 UTC (History)
6 users (show)

See Also:
Package list:
mail-mta/exim-4.92.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-09-04 15:45:42 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-09-04 15:47:42 UTC
From $URL:
CVE ID:     CVE-2019-15846
Version(s): up to and including 4.92.1
Issue:      A local or remote attacker can execute programs with root
            privileges.
Details:    Will be made public at CRD. Currently there is no known
            exploit, but a rudimentary POC exists.

Coordinated Release Date (CRD) for Exim 4.92.2:
            2019-09-06 10:00 UTC


Proposed Timeline
=================

2019-09-03:
    - initial notification to distros@...nwall.org and
      exim-maintainers@...m.org

2019-09-04: <-- NOW
    - This Heads-up notice to oss-security@...ts.openwall.com,
      exim-users@...m.org, and exim-announce@...m.org

2019-09-06 10:00 UTC:
    - Coordinated relase date
    - Notice to oss-security, exim-users, and exim-announce
    - Publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads available starting at CRD (not yet)
=============================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.
Comment 2 Larry the Git Cow gentoo-dev 2019-09-06 13:18:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c1968d993330fcd3d593e014de4d7eccfd05872

commit 5c1968d993330fcd3d593e014de4d7eccfd05872
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-09-06 13:16:23 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-09-06 13:17:49 +0000

    mail-mta/exim: bump to v4.92.2 (CVE-2019-15846)
    
    Ebuild changes:
    - EAPI bumped to EAPI=7
    
    Bug: https://bugs.gentoo.org/693494
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-mta/exim/Manifest           |   2 +
 mail-mta/exim/exim-4.92.2.ebuild | 582 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 584 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-09-06 15:38:41 UTC
Added to an existing GLSA.
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-09-07 00:22:25 UTC
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-09-07 00:25:29 UTC
This issue was resolved and addressed in
 GLSA 201909-06 at https://security.gentoo.org/glsa/201909-06
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-09-07 00:26:14 UTC
Re-opening for remaining architectures.
Comment 7 Sergei Trofimovich gentoo-dev 2019-09-08 18:47:20 UTC
ppc/ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-09-09 05:56:11 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-09-09 06:04:18 UTC
sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-13 15:41:42 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-09-13 17:27:55 UTC
ia64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-09-20 06:53:52 UTC
hppa stable
Comment 13 Marat Radchenko 2019-10-01 14:00:15 UTC
I cannot find an issue for CVE-2019-16928. Is it hidden or doesn't exist at all?
Comment 14 Fabian Groffen gentoo-dev 2019-10-01 16:23:08 UTC
the CVE isn't this bug, but here's the email I copied it's number from for 4.92.3:
https://lists.exim.org/lurker/message/20190928.232024.589b2ef5.nl.html
Comment 15 Matt Turner gentoo-dev 2019-10-14 02:18:44 UTC
alpha stable

all arches done
Comment 16 Larry the Git Cow gentoo-dev 2019-10-26 18:16:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090c2b8964bdab171450acfbe10a585c23064118

commit 090c2b8964bdab171450acfbe10a585c23064118
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 18:15:52 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 18:15:52 +0000

    mail-mta/exim: security cleanup (#693494)
    
    Bug: https://bugs.gentoo.org/693494
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-mta/exim/Manifest              |   4 -
 mail-mta/exim/exim-4.92-r3.ebuild   | 563 -----------------------------------
 mail-mta/exim/exim-4.92-r4.ebuild   | 578 ------------------------------------
 mail-mta/exim/exim-4.92.1-r1.ebuild | 578 ------------------------------------
 4 files changed, 1723 deletions(-)
Comment 17 Thomas Deutschmann gentoo-dev Security 2019-10-26 18:16:51 UTC
All done, repository is clean!