oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Exim CVE-2016-1531 fixed

From: Heiko Schlittermann <hs () schlittermann de>
Date: Thu, 3 Mar 2016 10:09:27 +0100
Hello,

We've fixed CVE-2016-1531. The fix was announced to the public
via exim-{maintainers,dev,users} mailing lists, via the
about Wed, 2 Mar 2016 19:10 GMT, the announcement to exim-announce
followed about one hour later.

Known distro maintainers and Exim contributors got access to the fix
on Monday, 29 Feb 2016 at 14:00 GMT.

Some *BSD portability issues where fixed on Tue Mar 1 late evening.

The announcement we sent to the above mentioned lists:

Security fix for CVE-2016-1531
==============================

All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally *any* user) can gain root
privileges.

New options
-----------

We had to introduce two new configuration options:

    keep_environment =
    add_environment =

Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on.

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.

    keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

    add_environment = <; PATH=/sbin:/usr/sbin


New behaviour
-------------

Now Exim changes it's working directory to / right after startup,
even before reading it's configuration. (Later Exim changes it's working
directory to $spool_directory, as usual.)

Exim only accepts an absolute configuration file path now, when using
the -C option.


Thank you for your understanding.


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: