From 4c1f82306c37b93b23e6ad8ee5456c0d9dde7040fabc83b47dc3a97b815c70d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20M=C3=BCller?= Date: Fri, 10 Dec 2010 22:05:44 +0000 Subject: [PATCH] Accepting request 55623 from home:lmuelle:branches:server:mail Looks ok. Thx! OBS-URL: https://build.opensuse.org/request/show/55623 OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=91 --- CVE-2010-4345.diff | 128 +++++++++++++++++++++++++++++++++++++++++++ exim-4.12-tail.patch | 6 +- exim.changes | 7 +++ exim.spec | 2 + 4 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 CVE-2010-4345.diff diff --git a/CVE-2010-4345.diff b/CVE-2010-4345.diff new file mode 100644 index 0000000..31c81c6 --- /dev/null +++ b/CVE-2010-4345.diff @@ -0,0 +1,128 @@ +Bugzilla: bnc#658731 +Author: David Woodhouse +Date: 2010-12-09 17:22 UTC +To: exim-dev +Subject: Re: [exim-dev] [Exim-maintainers] Remote root vulnerability in Exim +[Resend to exim-dev for comment, since exim-maintainers is quiet] + +On Thu, 2010-12-09 at 10:18 +0000, David Woodhouse wrote: +> In the meantime, I'm looking at the second bug; the privilege +> escalation. I think the best answer to that is to kill the +> ALT_CONFIG_ROOT_ONLY option completely, and *always* allow the trusted +> user to use an alternative config but *only* if that config is listed in +> a file such as /etc/exim/allowed-configs. Does that seem sane? + +Hm, we already have ALT_CONFIG_PREFIX which *almost* does this. It's +just that when defined, it refuses to run at all with a config that +doesn't match the prefix; rather than simply running without privileges. + +I don't really see the point in refusing to run at all; the user can +always build their *own* Exim binary and run it without privileges. + +So I've come up with the patch below. It kills the ALT_CONFIG_ROOT_ONLY +option, by making it effectively always set and never allowing even the +trusted Exim user to use arbitrary config files. + +It repurposes the existing ALT_CONFIG_PREFIX, rather than adding a new +option and making things more complex. Instead of refusing to run with +config files that don't match the prefix, Exim will simply run without +root privileges. And it *will* run with root privileges when invoked +with the -C option for a file which *does* match the prefix. + +Important user-visible changes would be: + +- If you previously had ALT_CONFIG_ROOT_ONLY unset (the default), then +you must set ALT_CONFIG_PREFIX and use matching files if you want +to use alternative config files. + +- If you previously had ALT_CONFIG_PREFIX set, then you should be aware +that matching config files will now be invoked with root privileges +regardless of the uid of the invoking user. + +We could change the latter so that non-root and non-exim users invoking +config files in ALT_CONFIG_PREFIX are *never* granted root privs, but +I'm not sure we should. Comments? + +Index: exim-4.71/src/exim.c +=================================================================== +--- exim-4.71.orig/src/exim.c ++++ exim-4.71/src/exim.c +@@ -3158,12 +3158,9 @@ if (setgroups(0, NULL) != 0) + } + + /* If the configuration file name has been altered by an argument on the +-command line (either a new file name or a macro definition) and the caller is +-not root or the exim user, or if this is a filter testing run, remove any +-setuid privilege the program has, and run as the underlying user. +- +-If ALT_CONFIG_ROOT_ONLY is defined, the exim user is locked out of this, which +-severely restricts the use of -C for some purposes. ++command line (either a new file name not matching ALT_CONFIG_PREFIX or a macro ++definition) and the caller is not root, or if this is a filter testing run, ++remove any setuid privilege the program has, and run as the underlying user. + + Otherwise, set the real ids to the effective values (should be root unless run + from inetd, which it can either be root or the exim uid, if one is configured). +@@ -3177,9 +3174,6 @@ configuration file changes and macro def + if (( /* EITHER */ + (config_changed || macros != NULL) && /* Config changed, and */ + real_uid != root_uid && /* Not root, and */ +- #ifndef ALT_CONFIG_ROOT_ONLY /* (when not locked out) */ +- real_uid != exim_uid && /* Not exim, and */ +- #endif + !running_in_test_harness /* Not fudged */ + ) || /* OR */ + expansion_test /* expansion testing */ +@@ -3367,47 +3361,16 @@ else + } + + /* Handle the case when we have removed the setuid privilege because of -C or +--D. This means that the caller of Exim was not root, and, provided that +-ALT_CONFIG_ROOT_ONLY is not defined, was not the Exim user that is built into +-the binary. +- +-If ALT_CONFIG_ROOT_ONLY is not defined, there is a problem if it turns out we +-were running as the exim user defined in the configuration file (different to +-the one in the binary). The sysadmin may expect this case to retain privilege +-because "the binary was called by the Exim user", but it hasn't, because of the +-order in which it handles this stuff. There are two possibilities: +- +- (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order +- to do message deliveries. Thus, the fact that it is running as a +- non-privileged user is plausible, and might be wanted in some special +- configurations. However, really_exim will have been set false when +- privilege was dropped, to stop Exim trying to write to its normal log +- files. Therefore, re-enable normal log processing, assuming the sysadmin +- has set up the log directory correctly. +- +- (2) If deliver_drop_privilege is not set, the configuration won't work as +- apparently intended, and so we log a panic message. In order to retain +- root for -C or -D, the caller must either be root or the Exim user +- defined in the binary (when deliver_drop_ privilege is false). +- +-If ALT_CONFIG_ROOT_ONLY is defined, we don't know whether we were called by the +-built-in exim user or one defined in the configuration. In either event, +-re-enable log processing, assuming the sysadmin knows what they are doing. */ ++-D. This means that the caller of Exim was not root. ++ ++We don't know whether we were called by the built-in exim user or one defined ++in the configuration. In either event, re-enable log processing, assuming the ++sysadmin knows what they are doing. */ + + if (removed_privilege && (config_changed || macros != NULL) && + real_uid == exim_uid) + { +- #ifdef ALT_CONFIG_ROOT_ONLY + really_exim = TRUE; /* let logging work normally */ +- #else +- +- if (deliver_drop_privilege) +- really_exim = TRUE; /* let logging work normally */ +- else +- log_write(0, LOG_MAIN|LOG_PANIC, +- "exim user (uid=%d) is defined only at runtime; privilege lost for %s", +- (int)exim_uid, config_changed? "-C" : "-D"); +- #endif + } + + /* Start up Perl interpreter if Perl support is configured and there is a diff --git a/exim-4.12-tail.patch b/exim-4.12-tail.patch index 1f44470..7f95543 100644 --- a/exim-4.12-tail.patch +++ b/exim-4.12-tail.patch @@ -1,6 +1,8 @@ ---- scripts/Configure-config.h +Index: scripts/Configure-config.h +=================================================================== +--- scripts/Configure-config.h.orig +++ scripts/Configure-config.h -@@ -41,7 +41,7 @@ +@@ -48,7 +48,7 @@ fi # Double-check that config.h is complete. diff --git a/exim.changes b/exim.changes index 041bf27..89fd827 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Dec 10 20:51:18 UTC 2010 - lars@samba.org + +- Fix memory corruption in string_format code for pre-11.3 systems; + CVE-2010-4344; (beo#787); (bnc#658731). +- Fix remote root vulnerability; CVE-2010-4345; (bnc#658731). + ------------------------------------------------------------------- Wed Jul 14 10:45:19 CEST 2010 - dmueller@suse.de diff --git a/exim.spec b/exim.spec index cc9a733..d55e00f 100644 --- a/exim.spec +++ b/exim.spec @@ -58,6 +58,7 @@ Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exi Source30: eximstats-html-update.py Source31: eximstats.conf Patch: exim-4.12-tail.patch +Patch6: CVE-2010-4345.diff %if !%{?build_with_mysql:1}0 %package -n eximon @@ -124,6 +125,7 @@ Authors: %prep %setup -q -n exim-%{version} %patch +%patch6 -p1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE"