[exim.git] / doc / doc-txt / cve-2019-13917

CVE ID:     CVE-2019-13917
OVE ID:     OVE-20190718-0006
Date:       2019-07-18
Credits:    Jeremy Harris
Version(s): 4.85 up to and including 4.92
Issue:      A local or remote attacker can execute programs with root
            privileges - if you've an unusual configuration. See below.

Conditions to be vulnerable
===========================

If your configuration uses the ${sort } expansion for items that can be
controlled by an attacker (e.g. $local_part, $domain). The default
config, as shipped by the Exim developers, does not contain ${sort }.

Details
=======

The vulnerability is exploitable either remotely or locally and could
be used to execute other programs with root privilege.  The ${sort }
expansion re-evaluates its items.

Mitigation
==========

Do not use ${sort } in your configuration.

Fix
===

Download and build a fixed version:

    Tarballs: http://ftp.exim.org/pub/exim/exim4/
    Git:      https://github.com/Exim/exim.git
              - tag    exim-4.92.1
              - branch exim-4.92+fixes

The tagged commit is the officially released version. The +fixes branch
isn't officially maintained, but contains useful patches *and* the
security fix.

If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix.  (Please note,
that Exim project officially doesn't support versions prior the current
stable version.)
Commit	Line	Data
21aa0597 JH	1	CVE ID: CVE-2019-13917
	2	OVE ID: OVE-20190718-0006
	3	Date: 2019-07-18
	4	Credits: Jeremy Harris
	5	Version(s): 4.85 up to and including 4.92
	6	Issue: A local or remote attacker can execute programs with root
	7	privileges - if you've an unusual configuration. See below.
	8
	9	Conditions to be vulnerable
	10	===========================
	11
	12	If your configuration uses the ${sort } expansion for items that can be
	13	controlled by an attacker (e.g. $local_part, $domain). The default
	14	config, as shipped by the Exim developers, does not contain ${sort }.
	15
	16	Details
	17	=======
	18
	19	The vulnerability is exploitable either remotely or locally and could
	20	be used to execute other programs with root privilege. The ${sort }
	21	expansion re-evaluates its items.
	22
	23	Mitigation
	24	==========
	25
	26	Do not use ${sort } in your configuration.
	27
	28	Fix
	29	===
	30
	31	Download and build a fixed version:
	32
	33	Tarballs: http://ftp.exim.org/pub/exim/exim4/
	34	Git: https://github.com/Exim/exim.git
	35	- tag exim-4.92.1
	36	- branch exim-4.92+fixes
	37
	38	The tagged commit is the officially released version. The +fixes branch
	39	isn't officially maintained, but contains useful patches and the
	40	security fix.
	41
	42	If you can't install the above versions, ask your package maintainer for
	43	a version containing the backported fix. On request and depending on our
	44	resources we will support you in backporting the fix. (Please note,
	45	that Exim project officially doesn't support versions prior the current
	46	stable version.)