Accepting request 55623 from home:lmuelle:branches:server:mail

Looks ok. Thx!

OBS-URL: https://build.opensuse.org/request/show/55623
OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=91

CVE-2010-4345.diff

@@ -0,0 +1,128 @@
+Bugzilla: bnc#658731
+Author: David Woodhouse
+Date: 2010-12-09 17:22 UTC
+To: exim-dev
+Subject: Re: [exim-dev] [Exim-maintainers] Remote root vulnerability in Exim
+[Resend to exim-dev for comment, since exim-maintainers is quiet]
+
+On Thu, 2010-12-09 at 10:18 +0000, David Woodhouse wrote:
+> In the meantime, I'm looking at the second bug; the privilege
+> escalation. I think the best answer to that is to kill the
+> ALT_CONFIG_ROOT_ONLY option completely, and *always* allow the trusted
+> user to use an alternative config but *only* if that config is listed in
+> a file such as /etc/exim/allowed-configs. Does that seem sane?
+
+Hm, we already have ALT_CONFIG_PREFIX which *almost* does this. It's
+just that when defined, it refuses to run at all with a config that
+doesn't match the prefix; rather than simply running without privileges.
+
+I don't really see the point in refusing to run at all; the user can
+always build their *own* Exim binary and run it without privileges.
+
+So I've come up with the patch below. It kills the ALT_CONFIG_ROOT_ONLY
+option, by making it effectively always set and never allowing even the
+trusted Exim user to use arbitrary config files.
+
+It repurposes the existing ALT_CONFIG_PREFIX, rather than adding a new
+option and making things more complex. Instead of refusing to run with
+config files that don't match the prefix, Exim will simply run without
+root privileges. And it *will* run with root privileges when invoked
+with the -C option for a file which *does* match the prefix.
+
+Important user-visible changes would be:
+
+- If you previously had ALT_CONFIG_ROOT_ONLY unset (the default), then
+you must set ALT_CONFIG_PREFIX and use matching files if you want
+to use alternative config files.
+
+- If you previously had ALT_CONFIG_PREFIX set, then you should be aware
+that matching config files will now be invoked with root privileges
+regardless of the uid of the invoking user.
+
+We could change the latter so that non-root and non-exim users invoking
+config files in ALT_CONFIG_PREFIX are *never* granted root privs, but
+I'm not sure we should. Comments?
+
+Index: exim-4.71/src/exim.c
+===================================================================
+--- exim-4.71.orig/src/exim.c
++++ exim-4.71/src/exim.c
+@@ -3158,12 +3158,9 @@ if (setgroups(0, NULL) != 0)
+   }
+ 
+ /* If the configuration file name has been altered by an argument on the
+-command line (either a new file name or a macro definition) and the caller is
+-not root or the exim user, or if this is a filter testing run, remove any
+-setuid privilege the program has, and run as the underlying user.
+-
+-If ALT_CONFIG_ROOT_ONLY is defined, the exim user is locked out of this, which
+-severely restricts the use of -C for some purposes.
++command line (either a new file name not matching ALT_CONFIG_PREFIX or a macro
++definition) and the caller is not root, or if this is a filter testing run,
++remove any setuid privilege the program has, and run as the underlying user.
+ 
+ Otherwise, set the real ids to the effective values (should be root unless run
+ from inetd, which it can either be root or the exim uid, if one is configured).
+@@ -3177,9 +3174,6 @@ configuration file changes and macro def
+ if ((                                            /* EITHER */
+     (config_changed || macros != NULL) &&        /* Config changed, and */
+     real_uid != root_uid &&                      /* Not root, and */
+-    #ifndef ALT_CONFIG_ROOT_ONLY                 /* (when not locked out) */
+-    real_uid != exim_uid &&                      /* Not exim, and */
+-    #endif
+     !running_in_test_harness                     /* Not fudged */
+     ) ||                                         /*   OR   */
+     expansion_test                               /* expansion testing */
+@@ -3367,47 +3361,16 @@ else
+   }
+ 
+ /* Handle the case when we have removed the setuid privilege because of -C or
+--D. This means that the caller of Exim was not root, and, provided that
+-ALT_CONFIG_ROOT_ONLY is not defined, was not the Exim user that is built into
+-the binary.
+-
+-If ALT_CONFIG_ROOT_ONLY is not defined, there is a problem if it turns out we
+-were running as the exim user defined in the configuration file (different to
+-the one in the binary). The sysadmin may expect this case to retain privilege
+-because "the binary was called by the Exim user", but it hasn't, because of the
+-order in which it handles this stuff. There are two possibilities:
+-
+-  (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
+-      to do message deliveries. Thus, the fact that it is running as a
+-      non-privileged user is plausible, and might be wanted in some special
+-      configurations. However, really_exim will have been set false when
+-      privilege was dropped, to stop Exim trying to write to its normal log
+-      files. Therefore, re-enable normal log processing, assuming the sysadmin
+-      has set up the log directory correctly.
+-
+-  (2) If deliver_drop_privilege is not set, the configuration won't work as
+-      apparently intended, and so we log a panic message. In order to retain
+-      root for -C or -D, the caller must either be root or the Exim user
+-      defined in the binary (when deliver_drop_ privilege is false).
+-
+-If ALT_CONFIG_ROOT_ONLY is defined, we don't know whether we were called by the
+-built-in exim user or one defined in the configuration. In either event,
+-re-enable log processing, assuming the sysadmin knows what they are doing. */
++-D. This means that the caller of Exim was not root.
++
++We don't know whether we were called by the built-in exim user or one defined
++in the configuration. In either event, re-enable log processing, assuming the
++sysadmin knows what they are doing. */
+ 
+ if (removed_privilege && (config_changed || macros != NULL) &&
+     real_uid == exim_uid)
+   {
+-  #ifdef ALT_CONFIG_ROOT_ONLY
+   really_exim = TRUE;   /* let logging work normally */
+-  #else
+-
+-  if (deliver_drop_privilege)
+-    really_exim = TRUE; /* let logging work normally */
+-  else
+-    log_write(0, LOG_MAIN|LOG_PANIC,
+-      "exim user (uid=%d) is defined only at runtime; privilege lost for %s",
+-      (int)exim_uid, config_changed? "-C" : "-D");
+-  #endif
+   }
+ 
+ /* Start up Perl interpreter if Perl support is configured and there is a

exim-4.12-tail.patch

@@ -1,6 +1,8 @@
---- scripts/Configure-config.h
+Index: scripts/Configure-config.h
+===================================================================
+--- scripts/Configure-config.h.orig
 +++ scripts/Configure-config.h
-@@ -41,7 +41,7 @@
+@@ -48,7 +48,7 @@ fi
  
  # Double-check that config.h is complete.
  

exim.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Dec 10 20:51:18 UTC 2010 - lars@samba.org
+
+- Fix memory corruption in string_format code for pre-11.3 systems;
+  CVE-2010-4344; (beo#787); (bnc#658731).
+- Fix remote root vulnerability; CVE-2010-4345; (bnc#658731).
+
 -------------------------------------------------------------------
 Wed Jul 14 10:45:19 CEST 2010 - dmueller@suse.de
 

exim.spec

@@ -58,6 +58,7 @@ Source20:       http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exi
 Source30:       eximstats-html-update.py
 Source31:       eximstats.conf
 Patch:          exim-4.12-tail.patch
+Patch6:         CVE-2010-4345.diff
 %if !%{?build_with_mysql:1}0
 
 %package -n eximon
@@ -124,6 +125,7 @@ Authors:
 %prep
 %setup -q -n exim-%{version}
 %patch
+%patch6 -p1
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
 fPIE="-fPIE"