Bug#606527: root upgrade vulnerability in exim4
Konrad Rosenbaum
konrad at silmor.de
Thu Dec 9 22:23:19 UTC 2010
Package: exim4
Version: 4.69-9
The /usr/sbin/exim4 executable can be abused to upgrade from Debian-exim to
root in case of another vulnerability in exim that creates a shell (there
currently seems to be one).
The exim config allows constructs like ${run{...}} that execute shell
commands, then calling "exim -C<myconfig.conf>" executes those commands, if
they are in specific lines they are executed as root.
Please recompile Debians exim with ALT_CONFIG_PREFIX=/etc/exim4/ and
DISABLE_D_OPTION to prevent (even privileged) users from exploiting this to
upgrade to root.
A discussion of the problem can be seen here:
http://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
Konrad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20101209/c9e72e32/attachment.pgp>
More information about the Pkg-exim4-maintainers
mailing list