Bug 1715237 (CVE-2019-10149)

Summary: CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: agk, bennie.joubert, darunesh, dwmw2, fleite, huzaifas, jeharris, jskarvad, mpoole, omarandemad, pbergene, security-response-team, tremble
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: exim 4.92 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Exim, where improper validation of the recipient address in the deliver_message() function in /src/deliver.c occurred. An attacker could use this flaw to achieve remote command execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-30 03:56:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1716935    
Bug Blocks: 1715238    

Description Pedro Sampaio 2019-05-29 21:16:06 UTC 
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

References:

https://www.openwall.com/lists/oss-security/2019/06/04/1
https://exim.org/static/doc/security/CVE-2019-10149.txt
Comment 1 Pedro Sampaio 2019-05-30 00:12:51 UTC 
Acknowledgments:

Name: Qualys Research Labs
Comment 2 Huzaifa S. Sidhpurwala 2019-05-30 03:56:19 UTC 
As per the reporter:

"Exim is vulnerable by default since version 4.87 (released on April 6,2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019)"

Therefore lower versions of exim (Red Hat Enterprise Linux ships exim-4.63) are not affected by this flaw.
Comment 4 Huzaifa S. Sidhpurwala 2019-05-30 04:03:48 UTC 
Statement:

Exim is vulnerable since version 4.87, therefore the version of exim package (exim-4.63) shipped with Red Hat Enterprise Linux 5 is not affected by this flaw.
Comment 5 Dhananjay Arunesh 2019-06-04 12:26:33 UTC 
Created exim tracking bugs for this issue:

Affects: epel-all [bug 1716935]
Comment 12 Huzaifa S. Sidhpurwala 2019-06-06 10:50:41 UTC 
External References:

https://www.exim.org/static/doc/security/CVE-2019-10149.txt
Comment 13 Tomas Hoger 2019-06-10 09:49:32 UTC 
Upstream commit:

https://git.exim.org/exim.git/commitdiff/d740d2111f189760593a303124ff6b9b1f83453d
Comment 14 Tomas Hoger 2019-06-10 10:06:39 UTC 
The above fix was included in mainline / 4.92 via the following commit from Sep 2018:

https://git.exim.org/exim.git/commitdiff/7ea1237c783e380d7bdb86c90b13d8203c7ecf26