| 1 | CVE ID: CVE-2019-13917 |
| 2 | OVE ID: OVE-20190718-0006 |
| 3 | Date: 2019-07-18 |
| 4 | Credits: Jeremy Harris |
| 5 | Version(s): 4.85 up to and including 4.92 |
| 6 | Issue: A local or remote attacker can execute programs with root |
| 7 | privileges - if you've an unusual configuration. See below. |
| 8 | |
| 9 | Conditions to be vulnerable |
| 10 | =========================== |
| 11 | |
| 12 | If your configuration uses the ${sort } expansion for items that can be |
| 13 | controlled by an attacker (e.g. $local_part, $domain). The default |
| 14 | config, as shipped by the Exim developers, does not contain ${sort }. |
| 15 | |
| 16 | Details |
| 17 | ======= |
| 18 | |
| 19 | The vulnerability is exploitable either remotely or locally and could |
| 20 | be used to execute other programs with root privilege. The ${sort } |
| 21 | expansion re-evaluates its items. |
| 22 | |
| 23 | Mitigation |
| 24 | ========== |
| 25 | |
| 26 | Do not use ${sort } in your configuration. |
| 27 | |
| 28 | Fix |
| 29 | === |
| 30 | |
| 31 | Download and build a fixed version: |
| 32 | |
| 33 | Tarballs: http://ftp.exim.org/pub/exim/exim4/ |
| 34 | Git: https://github.com/Exim/exim.git |
| 35 | - tag exim-4.92.1 |
| 36 | - branch exim-4.92+fixes |
| 37 | |
| 38 | The tagged commit is the officially released version. The +fixes branch |
| 39 | isn't officially maintained, but contains useful patches *and* the |
| 40 | security fix. |
| 41 | |
| 42 | If you can't install the above versions, ask your package maintainer for |
| 43 | a version containing the backported fix. On request and depending on our |
| 44 | resources we will support you in backporting the fix. (Please note, |
| 45 | that Exim project officially doesn't support versions prior the current |
| 46 | stable version.) |