Date: Fri, 10 Dec 2010 14:10:11 +0300 (MSK) From: Eygene Ryabinkin <rea@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/152983: security/vuxml: add entry for Exim's CVE-2010-4345 Message-ID: <20101210111011.4DA3FDA81F@void.codelabs.ru> Resent-Message-ID: <201012101130.oBABUG3b084635@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152983 >Category: ports >Synopsis: security/vuxml: add entry for Exim's CVE-2010-4345 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 10 11:30:16 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: There is a local privilege escalation from Exim's user to root: [1] >How-To-Repeat: [1] https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3 One can create e.conf with contents like {{{ spool_directory = ${run{/usr/bin/touch /tmp/testfile}} }}} run Exim as 'exim -Ce.conf -q' under Exim's own user. /tmp/testfile will be owned by root. >Fix: There is a patch for Exim that is still discussed, http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="e4fcf020-0447-11e0-becc-0022156e8794"> <topic>Exim -- local privilege escalation</topic> <affects> <package> <name>exim</name> <range><le>4.72</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>David Woodhouse reports:</p> <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3">; <p>Secondly a privilege escalation where the trusted 'exim' user is able to tell Exim to use arbitrary config files, in which further ${run ...} commands will be invoked as root.</p> </blockquote> </body> </description> <references> <cvename>CVE-2010-4345</cvename> <url>https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3</url>; <url>http://www.exim.org/lurker/message/20101209.022730.dbb6732d.en.html</url>; </references> <dates> <discovery>2010-12-10</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- It passes 'make validate'. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101210111011.4DA3FDA81F>