pool/exim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 60121 from server:mail

Browse Source 
Accepted submit request 60121 from user lmuelle

OBS-URL: https://build.opensuse.org/request/show/60121
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/exim?expand=0&rev=6
This commit is contained in:
Ruediger Oertel 2011-02-07 22:57:15 +00:00 committed by Git OBS Bridge
commit 11b73ed588
7 changed files with 156 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
CVE-2010-4345.diff
View File

@ -1,128 +0,0 @@
Bugzilla: bnc#658731
Author: David Woodhouse
Date: 2010-12-09 17:22 UTC
To: exim-dev
Subject: Re: [exim-dev] [Exim-maintainers] Remote root vulnerability in Exim
[Resend to exim-dev for comment, since exim-maintainers is quiet]
On Thu, 2010-12-09 at 10:18 +0000, David Woodhouse wrote:
> In the meantime, I'm looking at the second bug; the privilege
> escalation. I think the best answer to that is to kill the
> ALT_CONFIG_ROOT_ONLY option completely, and *always* allow the trusted
> user to use an alternative config but *only* if that config is listed in
> a file such as /etc/exim/allowed-configs. Does that seem sane?
Hm, we already have ALT_CONFIG_PREFIX which *almost* does this. It's
just that when defined, it refuses to run at all with a config that
doesn't match the prefix; rather than simply running without privileges.
I don't really see the point in refusing to run at all; the user can
always build their *own* Exim binary and run it without privileges.
So I've come up with the patch below. It kills the ALT_CONFIG_ROOT_ONLY
option, by making it effectively always set and never allowing even the
trusted Exim user to use arbitrary config files.
It repurposes the existing ALT_CONFIG_PREFIX, rather than adding a new
option and making things more complex. Instead of refusing to run with
config files that don't match the prefix, Exim will simply run without
root privileges. And it *will* run with root privileges when invoked
with the -C option for a file which *does* match the prefix.
Important user-visible changes would be:
- If you previously had ALT_CONFIG_ROOT_ONLY unset (the default), then
you must set ALT_CONFIG_PREFIX and use matching files if you want
to use alternative config files.
- If you previously had ALT_CONFIG_PREFIX set, then you should be aware
that matching config files will now be invoked with root privileges
regardless of the uid of the invoking user.
We could change the latter so that non-root and non-exim users invoking
config files in ALT_CONFIG_PREFIX are *never* granted root privs, but
I'm not sure we should. Comments?
Index: exim-4.71/src/exim.c
===================================================================
--- exim-4.71.orig/src/exim.c
+++ exim-4.71/src/exim.c
@@ -3158,12 +3158,9 @@ if (setgroups(0, NULL) != 0)
}
/* If the configuration file name has been altered by an argument on the
-command line (either a new file name or a macro definition) and the caller is
-not root or the exim user, or if this is a filter testing run, remove any
-setuid privilege the program has, and run as the underlying user.
-
-If ALT_CONFIG_ROOT_ONLY is defined, the exim user is locked out of this, which
-severely restricts the use of -C for some purposes.
+command line (either a new file name not matching ALT_CONFIG_PREFIX or a macro
+definition) and the caller is not root, or if this is a filter testing run,
+remove any setuid privilege the program has, and run as the underlying user.
Otherwise, set the real ids to the effective values (should be root unless run
from inetd, which it can either be root or the exim uid, if one is configured).
@@ -3177,9 +3174,6 @@ configuration file changes and macro def
if (( /* EITHER */
(config_changed || macros != NULL) && /* Config changed, and */
real_uid != root_uid && /* Not root, and */
- #ifndef ALT_CONFIG_ROOT_ONLY /* (when not locked out) */
- real_uid != exim_uid && /* Not exim, and */
- #endif
!running_in_test_harness /* Not fudged */
) || /* OR */
expansion_test /* expansion testing */
@@ -3367,47 +3361,16 @@ else
}
/* Handle the case when we have removed the setuid privilege because of -C or
--D. This means that the caller of Exim was not root, and, provided that
-ALT_CONFIG_ROOT_ONLY is not defined, was not the Exim user that is built into
-the binary.
-
-If ALT_CONFIG_ROOT_ONLY is not defined, there is a problem if it turns out we
-were running as the exim user defined in the configuration file (different to
-the one in the binary). The sysadmin may expect this case to retain privilege
-because "the binary was called by the Exim user", but it hasn't, because of the
-order in which it handles this stuff. There are two possibilities:
-
- (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
- to do message deliveries. Thus, the fact that it is running as a
- non-privileged user is plausible, and might be wanted in some special
- configurations. However, really_exim will have been set false when
- privilege was dropped, to stop Exim trying to write to its normal log
- files. Therefore, re-enable normal log processing, assuming the sysadmin
- has set up the log directory correctly.
-
- (2) If deliver_drop_privilege is not set, the configuration won't work as
- apparently intended, and so we log a panic message. In order to retain
- root for -C or -D, the caller must either be root or the Exim user
- defined in the binary (when deliver_drop_ privilege is false).
-
-If ALT_CONFIG_ROOT_ONLY is defined, we don't know whether we were called by the
-built-in exim user or one defined in the configuration. In either event,
-re-enable log processing, assuming the sysadmin knows what they are doing. */
+-D. This means that the caller of Exim was not root.
+
+We don't know whether we were called by the built-in exim user or one defined
+in the configuration. In either event, re-enable log processing, assuming the
+sysadmin knows what they are doing. */
if (removed_privilege && (config_changed || macros != NULL) &&
real_uid == exim_uid)
{
- #ifdef ALT_CONFIG_ROOT_ONLY
really_exim = TRUE; /* let logging work normally */
- #else
-
- if (deliver_drop_privilege)
- really_exim = TRUE; /* let logging work normally */
- else
- log_write(0, LOG_MAIN|LOG_PANIC,
- "exim user (uid=%d) is defined only at runtime; privilege lost for %s",
- (int)exim_uid, config_changed? "-C" : "-D");
- #endif
}
/* Start up Perl interpreter if Perl support is configured and there is a

149
CVE-2011-0017.diff
View File

@ -1,149 +0,0 @@
commit 1670ef10063d7708eb736a482d1ad25b9c59521d
Author: Phil Pennock <pdp@exim.org>
Date: Fri Jan 21 03:56:02 2011 -0500
Check return values of setgid/setuid.
CVE-2011-0017
One assertion of the unimportance of checking the return value was wrong,
in the event of a compromised exim run-time user.
Index: exim-4.72/doc/ChangeLog
===================================================================
--- exim-4.72.orig/doc/ChangeLog
+++ exim-4.72/doc/ChangeLog
@@ -3,6 +3,11 @@ $Cambridge: exim/exim-doc/doc-txt/Change
Change log file for Exim from version 4.21
-------------------------------------------
+PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a
+ privilege escalation vulnerability whereby the Exim run-time user
+ can cause root to append content of the attacker's choosing to
+ arbitrary files.
+
Exim version 4.72
-----------------
Index: exim-4.72/doc/NewStuff
===================================================================
--- exim-4.72.orig/doc/NewStuff
+++ exim-4.72/doc/NewStuff
@@ -9,6 +9,15 @@ test from the snapshots or the CVS befor
the documentation is updated, this file is reduced to a short list.
+Version CVE-2011-0017
+---------------------
+
+ 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux)
+ the flaw permitted the Exim run-time user to cause root to append to
+ arbitrary files of the attacker's choosing, with the content based
+ on content supplied by the attacker.
+
+
Version 4.72
------------
Index: exim-4.72/src/exim.c
===================================================================
--- exim-4.72.orig/src/exim.c
+++ exim-4.72/src/exim.c
@@ -1309,7 +1309,7 @@ int arg_error_handling = error_handling
int filter_sfd = -1;
int filter_ufd = -1;
int group_count;
-int i;
+int i, rv;
int list_queue_option = 0;
int msg_action = 0;
int msg_action_arg = -1;
@@ -1628,8 +1628,20 @@ real_gid = getgid();
if (real_uid == root_uid)
{
- setgid(real_gid);
- setuid(real_uid);
+ rv = setgid(real_gid);
+ if (rv)
+ {
+ fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
+ (long int)real_gid, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ rv = setuid(real_uid);
+ if (rv)
+ {
+ fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
+ (long int)real_uid, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
}
/* If neither the original real uid nor the original euid was root, Exim is
@@ -3709,7 +3721,28 @@ if (!unprivileged &&
/* When we are retaining a privileged uid, we still change to the exim gid. */
-else setgid(exim_gid);
+else
+ {
+ int rv;
+ rv = setgid(exim_gid);
+ /* Impact of failure is that some stuff might end up with an incorrect group.
+ We track this for failures from root, since any attempt to change privilege
+ by root should succeed and failures should be examined. For non-root,
+ there's no security risk. For me, it's { exim -bV } on a just-built binary,
+ no need to complain then. */
+ if (rv == -1)
+ {
+ if (!unprivileged)
+ {
+ fprintf(stderr,
+ "exim: changing group failed: %s\n", strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ else
+ debug_printf("changing group to %ld failed: %s\n",
+ (long int)exim_gid, strerror(errno));
+ }
+ }
/* Handle a request to list the delivery queue */
Index: exim-4.72/src/log.c
===================================================================
--- exim-4.72.orig/src/log.c
+++ exim-4.72/src/log.c
@@ -343,17 +343,26 @@ are neither exim nor root, creation is n
else if (euid == root_uid)
{
- int status;
+ int status, rv;
pid_t pid = fork();
/* In the subprocess, change uid/gid and do the creation. Return 0 from the
- subprocess on success. There doesn't seem much point in testing for setgid
- and setuid errors. */
+ subprocess on success. If we don't check for setuid failures, then the file
+ can be created as root, so vulnerabilities which cause setuid to fail mean
+ that the Exim user can use symlinks to cause a file to be opened/created as
+ root. We always open for append, so can't nuke existing content but it would
+ still be Rather Bad. */
if (pid == 0)
{
- (void)setgid(exim_gid);
- (void)setuid(exim_uid);
+ rv = setgid(exim_gid);
+ if (rv)
+ die(US"exim: setgid for log-file creation failed, aborting",
+ US"Unexpected log failure, please try later");
+ rv = setuid(exim_uid);
+ if (rv)
+ die(US"exim: setuid for log-file creation failed, aborting",
+ US"Unexpected log failure, please try later");
_exit((create_log(buffer) < 0)? 1 : 0);
}

45
aa097c4c00f62487128d74f65c521f9e877b184f.diff Normal file
View File

@ -0,0 +1,45 @@
commit aa097c4c00f62487128d74f65c521f9e877b184f
Author: Nigel Metheringham <nigel@exim.org>
Date: Wed Jan 26 11:04:32 2011 +0000
Workround compile error with old PCRE versions
Fixes bug #1073
Index: exim-4.74/doc/ChangeLog
===================================================================
--- exim-4.74.orig/doc/ChangeLog
+++ exim-4.74/doc/ChangeLog
@@ -3,6 +3,13 @@ $Cambridge: exim/doc/doc-txt/ChangeLog,v
Change log file for Exim from version 4.21
-------------------------------------------
+Exim version 4.75
+-----------------
+
+NM/01 Workround for PCRE version dependancy in version reporting
+ Bugzilla 1073
+
+
Exim version 4.74
-----------------
Index: exim-4.74/src/exim.c
===================================================================
--- exim-4.74.orig/src/exim.c
+++ exim-4.74/src/exim.c
@@ -931,8 +931,13 @@ DEBUG(D_any) do {
" Runtime: %s\n",
PCRE_MAJOR, PCRE_MINOR,
/* PRE_PRERELEASE is either defined and empty or a string.
- * This should work: */
+ * unless its an ancient version of PCRE in which case it
+ * is not defined */
+#ifdef PCRE_PRERELEASE
PCRE_PRERELEASE "",
+#else
+ "",
+#endif
pcre_version());
init_lookup_list();

3
exim-4.72.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4299bc3dc84a82f5c94494006b49acba159ad8a1fe5dd647f7ee2f9bfe78920b
size 1559031

3
exim-4.74.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e55b51c87e0be920f7f5aee830261566a4def8820f318d14a822fe2ae2ff8e40
size 1588636

105
exim.changes
View File

@ -1,3 +1,108 @@
-------------------------------------------------------------------
Fri Feb 4 22:13:39 UTC 2011 - lars@samba.org
- Workround for PCRE version dependancy in version reporting; (beo#1073).
-------------------------------------------------------------------
Fri Feb 4 19:33:40 UTC 2011 - lars@samba.org
- update to 4.74
- Failure to get a lock on a hints database can have serious
consequences so log it to the panic log.
- Log LMTP confirmation messages in the same way as SMTP,
controlled using the smtp_confirmation log selector.
- Include the error message when we fail to unlink a spool file.
- Bugzilla 139: Support dynamically loaded lookups as modules.
- Bugzilla 139: Documentation and portability issues.
Avoid GNU Makefile-isms, let Exim continue to build on BSD.
Handle per-OS dynamic-module compilation flags.
- Let /dev/null have normal permissions.
The 4.73 fixes were a little too stringent and complained about the
permissions on /dev/null. Exempt it from some checks.
- Report version information for many libraries, including
Exim version information for dynamically loaded libraries. Created
version.h, now support a version extension string for distributors
who patch heavily. Dynamic module ABI change.
- CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
- Bugzilla 1041: merged DCC maintainer's fixes for return code.
- Bugzilla 1071: fix delivery logging with untrusted macros.
If dropping privileges for untrusted macros, we disabled normal logging
on the basis that it would fail; for the Exim run-time user, this is not
the case, and it resulted in successful deliveries going unlogged.
- update to 4.73
- Date: & Message-Id: revert to normally being appended to a message,
only prepend for the Resent-* case. Fixes regression introduced in
Exim 4.70 by NM/22 for Bugzilla 607.
- Include check_rfc2047_length in configure.default because we're seeing
increasing numbers of administrators be bitten by this.
- Added DISABLE_DKIM and comment to src/EDITME
- Bugzilla 994: added openssl_options main configuration option.
- Bugzilla 995: provide better SSL diagnostics on failed reads.
- Bugzilla 834: provide a permit_coredump option for pipe transports.
- Adjust NTLM authentication to handle SASL Initial Response.
- If TLS negotiated an anonymous cipher, we could end up with SSL but
without a peer certificate, leading to a segfault because of an
assumption that peers always have certificates. Be a little more
paranoid. Problem reported by Martin Tscholak.
- Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
NB: ClamAV planning to remove STREAM in "middle of 2010".
CL also introduces -bmalware, various -d+acl logging additions and
more caution in buffer sizes.
- Implemented reverse_ip expansion operator.
- Bugzilla 937: provide a "debug" ACL control.
- Bugzilla 922: Documentation dusting, patch provided by John Horne.
- Bugzilla 973: Implement --version.
- Bugzilla 752: Refuse to build/run if Exim user is root/0.
- Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
- Bugzilla 816: support multiple condition rules on Routers.
- Add bool_lax{} expansion operator and use that for combining multiple
condition rules, instead of bool{}. Make both bool{} and bool_lax{}
ignore trailing whitespace.
- prevent non-panic DKIM error from being sent to paniclog
- added tcp_wrappers_daemon_name to allow host entries other than
"exim" to be used
- Fix malware regression for cmdline scanner introduced in PP/08.
Notification from Dr Andrew Aitchison.
- Change ClamAV response parsing to be more robust and to handle ClamAV's
ExtendedDetectionInfo response format.
Notification from John Horne.
- OpenSSL 1.0.0a compatibility const-ness change, should be backwards
compatible.
- Added a CONTRIBUTING file. Fixed the documentation build to use http:
XSL and documented dependency on system catalogs, with examples of how
it normally works.
- Added Valgrind hooks in store.c to help it capture out-of-bounds store
access.
- Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour
of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a
configuration file which is writeable by the Exim user or group.
- Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
of configuration files to cover files specified with the -C option if
they are going to be used with root privileges, not just the default
configuration file.
- Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY
option (effectively making it always true).
- Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
files to be used while preserving root privileges.
- Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
that rogue child processes cannot use them.
- Bugzilla 1047: change the default for system_filter_user to be the Exim
run-time user, instead of root.
- Add WHITELIST_D_MACROS option to let some macros be overriden by the
Exim run-time user without dropping privileges.
- Remove use of va_copy() which breaks pre-C99 systems. Duplicate the
result string, instead of calling string_vformat() twice with the same
arguments.
- Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not
for other users. Others should always drop root privileges if they use
-C on the command line, even for a whitelisted configure file.
- Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes.
- Fixed bug #1002 - Message loss when using multiple deliveries
-------------------------------------------------------------------
Fri Feb 4 15:19:44 UTC 2011 - lars@samba.org

8
exim.spec
View File

@ -40,7 +40,7 @@ Provides: smtp_daemon
Requires: logrotate
PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils
%endif
Version: 4.72
Version: 4.74
Release: 3
%if %{?build_with_mysql:1}0
BuildRequires: mysql-devel
@ -58,8 +58,7 @@ Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exi
Source30: eximstats-html-update.py
Source31: eximstats.conf
Patch: exim-4.12-tail.patch
Patch6: CVE-2010-4345.diff
Patch7: CVE-2011-0017.diff
Patch1: aa097c4c00f62487128d74f65c521f9e877b184f.diff
%if !%{?build_with_mysql:1}0
%package -n eximon
@ -126,8 +125,7 @@ Authors:
%prep
%setup -q -n exim-%{version}
%patch
%patch6 -p1
%patch7 -p1
%patch1 -p1
# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
fPIE="-fPIE"