Commit | Line | Data |
---|---|---|
21aa0597 JH |
1 | CVE ID: CVE-2019-13917 |
2 | OVE ID: OVE-20190718-0006 | |
3 | Date: 2019-07-18 | |
4 | Credits: Jeremy Harris | |
5 | Version(s): 4.85 up to and including 4.92 | |
6 | Issue: A local or remote attacker can execute programs with root | |
7 | privileges - if you've an unusual configuration. See below. | |
8 | ||
9 | Conditions to be vulnerable | |
10 | =========================== | |
11 | ||
12 | If your configuration uses the ${sort } expansion for items that can be | |
13 | controlled by an attacker (e.g. $local_part, $domain). The default | |
14 | config, as shipped by the Exim developers, does not contain ${sort }. | |
15 | ||
16 | Details | |
17 | ======= | |
18 | ||
19 | The vulnerability is exploitable either remotely or locally and could | |
20 | be used to execute other programs with root privilege. The ${sort } | |
21 | expansion re-evaluates its items. | |
22 | ||
23 | Mitigation | |
24 | ========== | |
25 | ||
26 | Do not use ${sort } in your configuration. | |
27 | ||
28 | Fix | |
29 | === | |
30 | ||
31 | Download and build a fixed version: | |
32 | ||
33 | Tarballs: http://ftp.exim.org/pub/exim/exim4/ | |
34 | Git: https://github.com/Exim/exim.git | |
35 | - tag exim-4.92.1 | |
36 | - branch exim-4.92+fixes | |
37 | ||
38 | The tagged commit is the officially released version. The +fixes branch | |
39 | isn't officially maintained, but contains useful patches *and* the | |
40 | security fix. | |
41 | ||
42 | If you can't install the above versions, ask your package maintainer for | |
43 | a version containing the backported fix. On request and depending on our | |
44 | resources we will support you in backporting the fix. (Please note, | |
45 | that Exim project officially doesn't support versions prior the current | |
46 | stable version.) |