Bug 670945 (CVE-2011-0017)

Summary: CVE-2011-0017 Exim: privilege escalation
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mlichvar, security-response-team, vdanen, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-31 12:35:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2011-01-19 18:21:23 UTC 
The exim setuid executable contains unchecked setuid() calls. If an
attacker is able to exceed the exim user's resource limits, the setuid()
call could fail, preventing the executable from dropping root privileges.

If an attacker gains access to the exim user (via another exploit), they
could potentially overwrite arbitrary system files with a symlink. The
files would contain an email message, which could potentially be used to execute arbitrary code as root.
Comment 1 Josh Bressers 2011-01-19 18:22:26 UTC 
Acknowledgements:

Red Hat would like to thank Phil Pennock for reporting this issue.
Comment 2 Vincent Danen 2011-02-02 16:15:29 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0017 to
the following vulnerability:

Name: CVE-2011-0017
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0017
Assigned: 20101207
Reference: URL: http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html
Reference: CONFIRM:ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
Reference: URL: http://www.debian.org/security/2011/dsa-2154
Reference: URL: http://www.securityfocus.com/bid/46065
Reference: URL: http://osvdb.org/70696
Reference: URL: http://secunia.com/advisories/43101
Reference: URL: http://secunia.com/advisories/43128
Reference: URL: http://www.vupen.com/english/advisories/2011/0224
Reference: URL: http://www.vupen.com/english/advisories/2011/0245
Reference: URL: http://xforce.iss.net/xforce/xfdb/65028

The open_log function in log.c in Exim 4.72 and earlier does not check
the return value from (1) setuid or (2) setgid system calls, which
allows local users to append log data to arbitrary files via a symlink
attack.


Exim 4.74 is available to fix this.