Bug 662012 (CVE-2010-4345) - CVE-2010-4345 exim: privilege escalation
Summary: CVE-2010-4345 exim: privilege escalation
Alias: CVE-2010-4345
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 662020 662024 668077 668078 668079 668080 668081 668082
TreeView+ depends on / blocked
Reported: 2010-12-10 10:39 UTC by Mark J. Cox
Modified: 2021-02-04 00:57 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-06-20 17:14:35 UTC

Attachments (Terms of Use)
Patch for above commits (29.93 KB, patch)
2010-12-14 19:34 UTC, Josh Bressers
no flags Details | Diff
backport for exim-4.43 (42.81 KB, patch)
2011-01-06 14:25 UTC, Miroslav Lichvar
no flags Details | Diff
backport for exim-4.63 (43.35 KB, patch)
2011-01-06 14:26 UTC, Miroslav Lichvar
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0153 0 normal SHIPPED_LIVE Moderate: exim security update 2011-01-17 17:47:26 UTC

Description Mark J. Cox 2010-12-10 10:39:39 UTC
See bug #661756

Secondly a privilege escalation where the trusted 'exim' user is able to tell
Exim to use arbitrary config files, in which further ${run ...} commands will
be invoked as root.

The latter should be addressed by the patch at

Comment 5 David Woodhouse 2010-12-10 17:11:18 UTC

Comment 6 David Woodhouse 2010-12-12 03:26:48 UTC

I've just pushed a set of patches to

They do the following:

- Add Valgrind hooks to the store pools to aid debugging.

- Don't use config files as root if they're writeable by non-root
  users/groups. Including the Exim user/group.

- Kill ALT_CONFIG_ROOT_ONLY as discussed, so only root can specify
  arbitrary files on the command line with the -C option. If the Exim
  user uses -C, or uses the -D option to set macros, then root privs
  will be dropped.

- Add a TRUSTED_CONFIG_PREFIX_FILE option. If set, it gives a filename
  for a file that contains prefix strings, like the ALT_CONFIG_PREFIX.
  Each line in that file specifies a prefix for config files which are
  to be trusted, and executed with root privilege if seen in the -C
  option, regardless of which user Exim is invoked by. As long as the
  config file is not writeable by anyone but root, of course.

- Set FD_CLOEXEC on SMTP sockets after forking to handle the connection.

The TRUSTED_CONFIG_PREFIX_FILE one wants a little more attention; I
haven't properly tested it yet. But it's 3am so not right now...

Comment 7 Josh Bressers 2010-12-14 19:24:26 UTC
Here are the upstream patches for this one:

Allow only absolute paths in TRUSTED_CONFIG_PREFIX_LIST...

Set FD_CLOEXEC on SMTP sockets after forking to handle... 


Remove ALT_CONFIG_ROOT_ONLY build option, effectively... 

Check configure file permissions even for non-default... 

Don't allow a configure file which is writeable by... 

Comment 8 Josh Bressers 2010-12-14 19:34:06 UTC
Created attachment 468682 [details]
Patch for above commits

Comment 9 Josh Bressers 2010-12-14 22:48:21 UTC
I've been informed that the above commits are still not complete for this issue. I'll update the patch when upstream is finished.

Comment 10 Miroslav Lichvar 2011-01-06 14:25:13 UTC
Created attachment 472064 [details]
backport for exim-4.43

Comment 11 Miroslav Lichvar 2011-01-06 14:26:39 UTC
Created attachment 472066 [details]
backport for exim-4.63

Comment 13 Josh Bressers 2011-01-07 20:29:18 UTC
Created exim tracking bugs for this issue

Affects: fedora-all [bug 668078]
Affects: fedora-all [bug 668078]

Comment 15 Josh Bressers 2011-01-07 20:40:55 UTC
I'm lowering the severity of this to moderate. Without another flaw that lets you gain access to the exim user, this flaw has no value.

Comment 16 errata-xmlrpc 2011-01-17 17:47:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0153 https://rhn.redhat.com/errata/RHSA-2011-0153.html

Note You need to log in before you can comment on or make changes to this bug.