[exim.git] / doc / doc-txt / cve-2019-13917 / posting-2019-07-25.txt

To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org
From: [ do not use a dmarc protected sender ]

CVE ID:     CVE-2019-13917
OVE ID:     OVE-20190718-0006
Date:       2019-07-18
Credits:    Jeremy Harris
Version(s): 4.85 up to and including 4.92
Issue:      A local or remote attacker can execute programs with root
            privileges - if you've an unusual configuration. For details
	    see below.

Coordinated Release Date (CRD) for Exim 4.92.1:
            Thu Jul 25 10:00:00 UTC 2019

Contact:    security@exim.org

We released Exim 4.92.1. This is a security update based on 4.92.

Conditions to be vulnerable
===========================

If your configuration uses the ${sort } expansion for items that can be
controlled by an attacker (e.g. $local_part, $domain). The default
config, as shipped by the Exim developers, does not contain ${sort }.

Details
=======

The vulnerability is exploitable either remotely or locally and could
be used to execute other programs with root privilege.  The ${sort }
expansion re-evaluates its items.

Mitigation
==========

Do not use ${sort } in your configuration.

Fix
===

Install a fixed package supplied by your distribution.
or download and build a fixed version:

For release tarballs (exim-4.92.1):

    http://ftp.exim.org/pub/exim/exim4/

The package files are signed with a key from the developers
key set: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc

For the full Git repo:

    https://git.exim.org/exim.git
    https://github.com/Exim/exim    [mirror of the above]
    - tag    exim-4.92.1
    - branch exim-4.92.1+fixes

The tagged commit is the officially released version. The tag is signed
with a key from the developers keyset.  The +fixes branch isn't
officially maintained, but contains the security fix *and* useful
patches.  The relevant commit is signed with a key from the developers
keyset. The old exim-4.92+fixes branch is being functionally replaced by
the new exim-4.92.1+fixes branch.

If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix.  (Please note,
that Exim project officially doesn't support versions prior the current
stable version.)

Timeline
========

t0: Thu Jul 18 2019
    - this notice to distros@vs.openwall.org and exim-maintainers@exim.org
    - open limited access to our security Git repo. See below.

t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW]
    - heads-up notice to oss-security@lists.openwall.com,
      exim-users@exim.org, and exim-announce@exim.org

t0+~7d: Thu Jul 25 10:00:00 UTC 2019 [NOW]
    - Coordinated relase date
    - publish the patches in our official and public Git repositories
      and the packages on our FTP server.
Commit	Line	Data
57a4741f HSHR	1	To: exim-users@exim.org, exim-announce@exim.org, exim-maintainers@exim.org
	2	From: [ do not use a dmarc protected sender ]
	3
	4	CVE ID: CVE-2019-13917
	5	OVE ID: OVE-20190718-0006
	6	Date: 2019-07-18
	7	Credits: Jeremy Harris
	8	Version(s): 4.85 up to and including 4.92
	9	Issue: A local or remote attacker can execute programs with root
	10	privileges - if you've an unusual configuration. For details
	11	see below.
	12
	13	Coordinated Release Date (CRD) for Exim 4.92.1:
	14	Thu Jul 25 10:00:00 UTC 2019
	15
165e7dd1	16	Contact: security@exim.org
57a4741f HSHR	17
	18	We released Exim 4.92.1. This is a security update based on 4.92.
	19
	20	Conditions to be vulnerable
	21	===========================
	22
	23	If your configuration uses the ${sort } expansion for items that can be
	24	controlled by an attacker (e.g. $local_part, $domain). The default
	25	config, as shipped by the Exim developers, does not contain ${sort }.
	26
	27	Details
	28	=======
	29
	30	The vulnerability is exploitable either remotely or locally and could
	31	be used to execute other programs with root privilege. The ${sort }
	32	expansion re-evaluates its items.
	33
	34	Mitigation
	35	==========
	36
	37	Do not use ${sort } in your configuration.
	38
	39	Fix
	40	===
	41
	42	Install a fixed package supplied by your distribution.
	43	or download and build a fixed version:
	44
	45	For release tarballs (exim-4.92.1):
	46
	47	http://ftp.exim.org/pub/exim/exim4/
	48
	49	The package files are signed with a key from the developers
	50	key set: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc
	51
	52	For the full Git repo:
	53
	54	https://git.exim.org/exim.git
	55	https://github.com/Exim/exim [mirror of the above]
	56	- tag exim-4.92.1
	57	- branch exim-4.92.1+fixes
	58
	59	The tagged commit is the officially released version. The tag is signed
	60	with a key from the developers keyset. The +fixes branch isn't
	61	officially maintained, but contains the security fix and useful
	62	patches. The relevant commit is signed with a key from the developers
	63	keyset. The old exim-4.92+fixes branch is being functionally replaced by
	64	the new exim-4.92.1+fixes branch.
	65
	66	If you can't install the above versions, ask your package maintainer for
	67	a version containing the backported fix. On request and depending on our
	68	resources we will support you in backporting the fix. (Please note,
	69	that Exim project officially doesn't support versions prior the current
	70	stable version.)
	71
	72	Timeline
	73	========
	74
	75	t0: Thu Jul 18 2019
	76	- this notice to distros@vs.openwall.org and exim-maintainers@exim.org
	77	- open limited access to our security Git repo. See below.
	78
	79	t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW]
	80	- heads-up notice to oss-security@lists.openwall.com,
81	exim-users@exim.org, and exim-announce@exim.org
82
83	t0+~7d: Thu Jul 25 10:00:00 UTC 2019 [NOW]
84	- Coordinated relase date
85	- publish the patches in our official and public Git repositories
86	and the packages on our FTP server.