From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Dec 10 11:30:17 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F75D1065675; Fri, 10 Dec 2010 11:30:17 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 141BC8FC0A; Fri, 10 Dec 2010 11:30:17 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oBABUGAj084642; Fri, 10 Dec 2010 11:30:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oBABUG3b084635; Fri, 10 Dec 2010 11:30:16 GMT (envelope-from gnats) Resent-Date: Fri, 10 Dec 2010 11:30:16 GMT Resent-Message-Id: <201012101130.oBABUG3b084635@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: krion@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 841D5106566C for ; Fri, 10 Dec 2010 11:23:34 +0000 (UTC) (envelope-from rea@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 8CCCA8FC0C for ; Fri, 10 Dec 2010 11:23:33 +0000 (UTC) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1PR0rb-000FD0-LH for FreeBSD-gnats-submit@freebsd.org; Fri, 10 Dec 2010 14:10:11 +0300 Message-Id: <20101210111011.4DA3FDA81F@void.codelabs.ru> Date: Fri, 10 Dec 2010 14:10:11 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: krion@freebsd.org Cc: Subject: ports/152983: security/vuxml: add entry for Exim's CVE-2010-4345 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2010 11:30:17 -0000 >Number: 152983 >Category: ports >Synopsis: security/vuxml: add entry for Exim's CVE-2010-4345 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 10 11:30:16 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: There is a local privilege escalation from Exim's user to root: [1] >How-To-Repeat: [1] https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3 One can create e.conf with contents like {{{ spool_directory = ${run{/usr/bin/touch /tmp/testfile}} }}} run Exim as 'exim -Ce.conf -q' under Exim's own user. /tmp/testfile will be owned by root. >Fix: There is a patch for Exim that is still discussed, http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- Exim -- local privilege escalation exim 4.72

David Woodhouse reports:

Secondly a privilege escalation where the trusted 'exim' user is able to tell Exim to use arbitrary config files, in which further ${run ...} commands will be invoked as root.

 CVE-2010-4345 https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3 http://www.exim.org/lurker/message/20101209.022730.dbb6732d.en.html 2010-12-10 TODAY --- vuln.xml ends here --- It passes 'make validate'. >Release-Note: >Audit-Trail: >Unformatted: