Dan Rosenberg reported that when exim is used with a world-writable mail directory, with the sticky-bit set, local users could create hard-links to other non-root users' files in the mailbox storage directory, causing files to be overwritten upon mail delivery. This could be used to create a denial of service condition or potentially escalate privileges to those of targeted users. Further information is available from the upstream bug report [1] and this has been fixed upstream in exim 4.72 [2]. [1] http://bugs.exim.org/show_bug.cgi?id=988 [2] http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.24&r2=1.25 The /var/spool/mail directory on Red Hat Enterprise Linux and Fedora is mode 0755 and owned root:mail. As a result, this is not exploitable by default.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. By default, /var/spool/mail/ is not provided with permissions to make an attack scenario possible, and there is no reason for permissions to be relaxed in such a way as to make it possible. We therefore have no plans to fix this flaw in Red Hat Enterprise Linux 4 or 5.
exim-4.72-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/exim-4.72-1.fc12
exim-4.72-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/exim-4.72-1.fc13
exim-4.72-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
exim-4.72-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.