Bug 600093 (CVE-2010-2023)

Summary: CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dwmw2, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20100603,reported=20100603,source=internet,fedora-all/exim=affected/impact=low/cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N/,rhel-4/exim=affected/impact=low/cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N/,rhel-5/exim=affected/impact=low/cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N/
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 10:44:17 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Vincent Danen 2010-06-03 18:35:33 EDT
Dan Rosenberg reported that when exim is used with a world-writable mail directory, with the sticky-bit set, local users could create hard-links to other non-root users' files in the mailbox storage directory, causing files to be overwritten upon mail delivery.  This could be used to create a denial of service condition or potentially escalate privileges to those of targeted users.

Further information is available from the upstream bug report [1] and this has been fixed upstream in exim 4.72 [2].

[1] http://bugs.exim.org/show_bug.cgi?id=988
[2] http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.24&r2=1.25

The /var/spool/mail directory on Red Hat Enterprise Linux and Fedora is mode 0755 and owned root:mail.  As a result, this is not exploitable by default.
Comment 1 Vincent Danen 2010-06-03 19:03:48 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact.  By default, /var/spool/mail/ is not provided with permissions to make an attack scenario possible, and there is no reason for permissions to be relaxed in such a way as to make it possible.  We therefore have no plans to fix this flaw in Red Hat Enterprise Linux 4 or 5.
Comment 2 Fedora Update System 2010-06-03 19:51:55 EDT
exim-4.72-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/exim-4.72-1.fc12
Comment 3 Fedora Update System 2010-06-03 19:52:58 EDT
exim-4.72-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/exim-4.72-1.fc13
Comment 4 Fedora Update System 2010-06-08 15:33:27 EDT
exim-4.72-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2010-06-08 15:39:37 EDT
exim-4.72-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.