Bug 600093 (CVE-2010-2023)

Summary: CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dwmw2, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 14:44:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-06-03 22:35:33 UTC 
Dan Rosenberg reported that when exim is used with a world-writable mail directory, with the sticky-bit set, local users could create hard-links to other non-root users' files in the mailbox storage directory, causing files to be overwritten upon mail delivery.  This could be used to create a denial of service condition or potentially escalate privileges to those of targeted users.

Further information is available from the upstream bug report [1] and this has been fixed upstream in exim 4.72 [2].

[1] http://bugs.exim.org/show_bug.cgi?id=988
[2] http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.24&r2=1.25

The /var/spool/mail directory on Red Hat Enterprise Linux and Fedora is mode 0755 and owned root:mail.  As a result, this is not exploitable by default.
Comment 1 Vincent Danen 2010-06-03 23:03:48 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact.  By default, /var/spool/mail/ is not provided with permissions to make an attack scenario possible, and there is no reason for permissions to be relaxed in such a way as to make it possible.  We therefore have no plans to fix this flaw in Red Hat Enterprise Linux 4 or 5.
Comment 2 Fedora Update System 2010-06-03 23:51:55 UTC 
exim-4.72-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/exim-4.72-1.fc12
Comment 3 Fedora Update System 2010-06-03 23:52:58 UTC 
exim-4.72-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/exim-4.72-1.fc13
Comment 4 Fedora Update System 2010-06-08 19:33:27 UTC 
exim-4.72-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2010-06-08 19:39:37 UTC 
exim-4.72-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.