Bug 662012 - (CVE-2010-4345) CVE-2010-4345 exim privilege escalation
CVE-2010-4345 exim privilege escalation
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 662020 662024 668077 668078 668079 668080 668081 668082
  Show dependency treegraph
Reported: 2010-12-10 05:39 EST by Mark J. Cox
Modified: 2018-02-12 16:45 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 13:14:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for above commits (29.93 KB, patch)
2010-12-14 14:34 EST, Josh Bressers
no flags Details | Diff
backport for exim-4.43 (42.81 KB, patch)
2011-01-06 09:25 EST, Miroslav Lichvar
no flags Details | Diff
backport for exim-4.63 (43.35 KB, patch)
2011-01-06 09:26 EST, Miroslav Lichvar
no flags Details | Diff

  None (edit)
Description Mark J. Cox 2010-12-10 05:39:39 EST
See bug #661756

Secondly a privilege escalation where the trusted 'exim' user is able to tell
Exim to use arbitrary config files, in which further ${run ...} commands will
be invoked as root.

The latter should be addressed by the patch at
Comment 5 David Woodhouse 2010-12-10 12:11:18 EST
Comment 6 David Woodhouse 2010-12-11 22:26:48 EST

I've just pushed a set of patches to

They do the following:

- Add Valgrind hooks to the store pools to aid debugging.

- Don't use config files as root if they're writeable by non-root
  users/groups. Including the Exim user/group.

- Kill ALT_CONFIG_ROOT_ONLY as discussed, so only root can specify
  arbitrary files on the command line with the -C option. If the Exim
  user uses -C, or uses the -D option to set macros, then root privs
  will be dropped.

- Add a TRUSTED_CONFIG_PREFIX_FILE option. If set, it gives a filename
  for a file that contains prefix strings, like the ALT_CONFIG_PREFIX.
  Each line in that file specifies a prefix for config files which are
  to be trusted, and executed with root privilege if seen in the -C
  option, regardless of which user Exim is invoked by. As long as the
  config file is not writeable by anyone but root, of course.

- Set FD_CLOEXEC on SMTP sockets after forking to handle the connection.

The TRUSTED_CONFIG_PREFIX_FILE one wants a little more attention; I
haven't properly tested it yet. But it's 3am so not right now...
Comment 7 Josh Bressers 2010-12-14 14:24:26 EST
Here are the upstream patches for this one:

Allow only absolute paths in TRUSTED_CONFIG_PREFIX_LIST...

Set FD_CLOEXEC on SMTP sockets after forking to handle... 


Remove ALT_CONFIG_ROOT_ONLY build option, effectively... 

Check configure file permissions even for non-default... 

Don't allow a configure file which is writeable by... 
Comment 8 Josh Bressers 2010-12-14 14:34:06 EST
Created attachment 468682 [details]
Patch for above commits
Comment 9 Josh Bressers 2010-12-14 17:48:21 EST
I've been informed that the above commits are still not complete for this issue. I'll update the patch when upstream is finished.
Comment 10 Miroslav Lichvar 2011-01-06 09:25:13 EST
Created attachment 472064 [details]
backport for exim-4.43
Comment 11 Miroslav Lichvar 2011-01-06 09:26:39 EST
Created attachment 472066 [details]
backport for exim-4.63
Comment 13 Josh Bressers 2011-01-07 15:29:18 EST
Created exim tracking bugs for this issue

Affects: fedora-all [bug 668078]
Affects: fedora-all [bug 668078]
Comment 15 Josh Bressers 2011-01-07 15:40:55 EST
I'm lowering the severity of this to moderate. Without another flaw that lets you gain access to the exim user, this flaw has no value.
Comment 16 errata-xmlrpc 2011-01-17 12:47:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0153 https://rhn.redhat.com/errata/RHSA-2011-0153.html

Note You need to log in before you can comment on or make changes to this bug.