On 2019/06/05 17:20, Heiko Schlittermann via mailop wrote: > The fix for CVE-2019-10149 is public now. > > https://git.exim.org/exim.git > Branch exim-4_91+fixes. > > Thank you to > - Qualys for reporting it. > - Jeremy for fixing it. > - you for using Exim. > > Sorry for confusion about the public release. We were forced to react, > as details leaked. > > The patch should apply cleanly to all affected versions (4.87->4.91). We > do not do a security release, as the official Exim version is at 4.92 > already and older releases are considered to be outdated and not > supported by the developers anymore. > > Please do not hesitate to contact us if you need help backporting the > fix.
And the Qualys write-up is here and it's a fun one. https://seclists.org/oss-sec/2019/q2/152 Excerpts: In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved. ... a local attacker can simply send a mail to "${run{...}}@localhost" (where "localhost" is one of Exim's local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default): ... - If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum" (where "khazad.dum" is one of Exim's relay_to_domains). _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
