Bug#606527: root upgrade vulnerability in exim4
Dominic Hargreaves
dom at earth.li
Fri Dec 10 13:52:29 UTC 2010
On Thu, Dec 09, 2010 at 11:23:19PM +0100, Konrad Rosenbaum wrote:
> The /usr/sbin/exim4 executable can be abused to upgrade from Debian-exim to
> root in case of another vulnerability in exim that creates a shell (there
> currently seems to be one).
>
> The exim config allows constructs like ${run{...}} that execute shell
> commands, then calling "exim -C<myconfig.conf>" executes those commands, if
> they are in specific lines they are executed as root.
>
> Please recompile Debians exim with ALT_CONFIG_PREFIX=/etc/exim4/ and
> DISABLE_D_OPTION to prevent (even privileged) users from exploiting this to
> upgrade to root.
>
> A discussion of the problem can be seen here:
> http://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
And in particular there is a candidate patch at
<http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html#exim-dev>
(although sadly I can't see how to get it to render in a fixed-width
font).
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Pkg-exim4-maintainers
mailing list