diff --git a/CVE-2010-4345.diff b/CVE-2010-4345.diff deleted file mode 100644 index 31c81c6..0000000 --- a/CVE-2010-4345.diff +++ /dev/null @@ -1,128 +0,0 @@ -Bugzilla: bnc#658731 -Author: David Woodhouse -Date: 2010-12-09 17:22 UTC -To: exim-dev -Subject: Re: [exim-dev] [Exim-maintainers] Remote root vulnerability in Exim -[Resend to exim-dev for comment, since exim-maintainers is quiet] - -On Thu, 2010-12-09 at 10:18 +0000, David Woodhouse wrote: -> In the meantime, I'm looking at the second bug; the privilege -> escalation. I think the best answer to that is to kill the -> ALT_CONFIG_ROOT_ONLY option completely, and *always* allow the trusted -> user to use an alternative config but *only* if that config is listed in -> a file such as /etc/exim/allowed-configs. Does that seem sane? - -Hm, we already have ALT_CONFIG_PREFIX which *almost* does this. It's -just that when defined, it refuses to run at all with a config that -doesn't match the prefix; rather than simply running without privileges. - -I don't really see the point in refusing to run at all; the user can -always build their *own* Exim binary and run it without privileges. - -So I've come up with the patch below. It kills the ALT_CONFIG_ROOT_ONLY -option, by making it effectively always set and never allowing even the -trusted Exim user to use arbitrary config files. - -It repurposes the existing ALT_CONFIG_PREFIX, rather than adding a new -option and making things more complex. Instead of refusing to run with -config files that don't match the prefix, Exim will simply run without -root privileges. And it *will* run with root privileges when invoked -with the -C option for a file which *does* match the prefix. - -Important user-visible changes would be: - -- If you previously had ALT_CONFIG_ROOT_ONLY unset (the default), then -you must set ALT_CONFIG_PREFIX and use matching files if you want -to use alternative config files. - -- If you previously had ALT_CONFIG_PREFIX set, then you should be aware -that matching config files will now be invoked with root privileges -regardless of the uid of the invoking user. - -We could change the latter so that non-root and non-exim users invoking -config files in ALT_CONFIG_PREFIX are *never* granted root privs, but -I'm not sure we should. Comments? - -Index: exim-4.71/src/exim.c -=================================================================== ---- exim-4.71.orig/src/exim.c -+++ exim-4.71/src/exim.c -@@ -3158,12 +3158,9 @@ if (setgroups(0, NULL) != 0) - } - - /* If the configuration file name has been altered by an argument on the --command line (either a new file name or a macro definition) and the caller is --not root or the exim user, or if this is a filter testing run, remove any --setuid privilege the program has, and run as the underlying user. -- --If ALT_CONFIG_ROOT_ONLY is defined, the exim user is locked out of this, which --severely restricts the use of -C for some purposes. -+command line (either a new file name not matching ALT_CONFIG_PREFIX or a macro -+definition) and the caller is not root, or if this is a filter testing run, -+remove any setuid privilege the program has, and run as the underlying user. - - Otherwise, set the real ids to the effective values (should be root unless run - from inetd, which it can either be root or the exim uid, if one is configured). -@@ -3177,9 +3174,6 @@ configuration file changes and macro def - if (( /* EITHER */ - (config_changed || macros != NULL) && /* Config changed, and */ - real_uid != root_uid && /* Not root, and */ -- #ifndef ALT_CONFIG_ROOT_ONLY /* (when not locked out) */ -- real_uid != exim_uid && /* Not exim, and */ -- #endif - !running_in_test_harness /* Not fudged */ - ) || /* OR */ - expansion_test /* expansion testing */ -@@ -3367,47 +3361,16 @@ else - } - - /* Handle the case when we have removed the setuid privilege because of -C or ---D. This means that the caller of Exim was not root, and, provided that --ALT_CONFIG_ROOT_ONLY is not defined, was not the Exim user that is built into --the binary. -- --If ALT_CONFIG_ROOT_ONLY is not defined, there is a problem if it turns out we --were running as the exim user defined in the configuration file (different to --the one in the binary). The sysadmin may expect this case to retain privilege --because "the binary was called by the Exim user", but it hasn't, because of the --order in which it handles this stuff. There are two possibilities: -- -- (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order -- to do message deliveries. Thus, the fact that it is running as a -- non-privileged user is plausible, and might be wanted in some special -- configurations. However, really_exim will have been set false when -- privilege was dropped, to stop Exim trying to write to its normal log -- files. Therefore, re-enable normal log processing, assuming the sysadmin -- has set up the log directory correctly. -- -- (2) If deliver_drop_privilege is not set, the configuration won't work as -- apparently intended, and so we log a panic message. In order to retain -- root for -C or -D, the caller must either be root or the Exim user -- defined in the binary (when deliver_drop_ privilege is false). -- --If ALT_CONFIG_ROOT_ONLY is defined, we don't know whether we were called by the --built-in exim user or one defined in the configuration. In either event, --re-enable log processing, assuming the sysadmin knows what they are doing. */ -+-D. This means that the caller of Exim was not root. -+ -+We don't know whether we were called by the built-in exim user or one defined -+in the configuration. In either event, re-enable log processing, assuming the -+sysadmin knows what they are doing. */ - - if (removed_privilege && (config_changed || macros != NULL) && - real_uid == exim_uid) - { -- #ifdef ALT_CONFIG_ROOT_ONLY - really_exim = TRUE; /* let logging work normally */ -- #else -- -- if (deliver_drop_privilege) -- really_exim = TRUE; /* let logging work normally */ -- else -- log_write(0, LOG_MAIN|LOG_PANIC, -- "exim user (uid=%d) is defined only at runtime; privilege lost for %s", -- (int)exim_uid, config_changed? "-C" : "-D"); -- #endif - } - - /* Start up Perl interpreter if Perl support is configured and there is a diff --git a/CVE-2011-0017.diff b/CVE-2011-0017.diff deleted file mode 100644 index e2037ce..0000000 --- a/CVE-2011-0017.diff +++ /dev/null @@ -1,149 +0,0 @@ -commit 1670ef10063d7708eb736a482d1ad25b9c59521d -Author: Phil Pennock -Date: Fri Jan 21 03:56:02 2011 -0500 - - Check return values of setgid/setuid. - - CVE-2011-0017 - - One assertion of the unimportance of checking the return value was wrong, - in the event of a compromised exim run-time user. - -Index: exim-4.72/doc/ChangeLog -=================================================================== ---- exim-4.72.orig/doc/ChangeLog -+++ exim-4.72/doc/ChangeLog -@@ -3,6 +3,11 @@ $Cambridge: exim/exim-doc/doc-txt/Change - Change log file for Exim from version 4.21 - ------------------------------------------- - -+PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a -+ privilege escalation vulnerability whereby the Exim run-time user -+ can cause root to append content of the attacker's choosing to -+ arbitrary files. -+ - Exim version 4.72 - ----------------- - -Index: exim-4.72/doc/NewStuff -=================================================================== ---- exim-4.72.orig/doc/NewStuff -+++ exim-4.72/doc/NewStuff -@@ -9,6 +9,15 @@ test from the snapshots or the CVS befor - the documentation is updated, this file is reduced to a short list. - - -+Version CVE-2011-0017 -+--------------------- -+ -+ 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) -+ the flaw permitted the Exim run-time user to cause root to append to -+ arbitrary files of the attacker's choosing, with the content based -+ on content supplied by the attacker. -+ -+ - Version 4.72 - ------------ - -Index: exim-4.72/src/exim.c -=================================================================== ---- exim-4.72.orig/src/exim.c -+++ exim-4.72/src/exim.c -@@ -1309,7 +1309,7 @@ int arg_error_handling = error_handling - int filter_sfd = -1; - int filter_ufd = -1; - int group_count; --int i; -+int i, rv; - int list_queue_option = 0; - int msg_action = 0; - int msg_action_arg = -1; -@@ -1628,8 +1628,20 @@ real_gid = getgid(); - - if (real_uid == root_uid) - { -- setgid(real_gid); -- setuid(real_uid); -+ rv = setgid(real_gid); -+ if (rv) -+ { -+ fprintf(stderr, "exim: setgid(%ld) failed: %s\n", -+ (long int)real_gid, strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ rv = setuid(real_uid); -+ if (rv) -+ { -+ fprintf(stderr, "exim: setuid(%ld) failed: %s\n", -+ (long int)real_uid, strerror(errno)); -+ exit(EXIT_FAILURE); -+ } - } - - /* If neither the original real uid nor the original euid was root, Exim is -@@ -3709,7 +3721,28 @@ if (!unprivileged && - - /* When we are retaining a privileged uid, we still change to the exim gid. */ - --else setgid(exim_gid); -+else -+ { -+ int rv; -+ rv = setgid(exim_gid); -+ /* Impact of failure is that some stuff might end up with an incorrect group. -+ We track this for failures from root, since any attempt to change privilege -+ by root should succeed and failures should be examined. For non-root, -+ there's no security risk. For me, it's { exim -bV } on a just-built binary, -+ no need to complain then. */ -+ if (rv == -1) -+ { -+ if (!unprivileged) -+ { -+ fprintf(stderr, -+ "exim: changing group failed: %s\n", strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ else -+ debug_printf("changing group to %ld failed: %s\n", -+ (long int)exim_gid, strerror(errno)); -+ } -+ } - - /* Handle a request to list the delivery queue */ - -Index: exim-4.72/src/log.c -=================================================================== ---- exim-4.72.orig/src/log.c -+++ exim-4.72/src/log.c -@@ -343,17 +343,26 @@ are neither exim nor root, creation is n - - else if (euid == root_uid) - { -- int status; -+ int status, rv; - pid_t pid = fork(); - - /* In the subprocess, change uid/gid and do the creation. Return 0 from the -- subprocess on success. There doesn't seem much point in testing for setgid -- and setuid errors. */ -+ subprocess on success. If we don't check for setuid failures, then the file -+ can be created as root, so vulnerabilities which cause setuid to fail mean -+ that the Exim user can use symlinks to cause a file to be opened/created as -+ root. We always open for append, so can't nuke existing content but it would -+ still be Rather Bad. */ - - if (pid == 0) - { -- (void)setgid(exim_gid); -- (void)setuid(exim_uid); -+ rv = setgid(exim_gid); -+ if (rv) -+ die(US"exim: setgid for log-file creation failed, aborting", -+ US"Unexpected log failure, please try later"); -+ rv = setuid(exim_uid); -+ if (rv) -+ die(US"exim: setuid for log-file creation failed, aborting", -+ US"Unexpected log failure, please try later"); - _exit((create_log(buffer) < 0)? 1 : 0); - } - diff --git a/exim-4.72.tar.bz2 b/exim-4.72.tar.bz2 deleted file mode 100644 index d326675..0000000 --- a/exim-4.72.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4299bc3dc84a82f5c94494006b49acba159ad8a1fe5dd647f7ee2f9bfe78920b -size 1559031 diff --git a/exim-4.74.tar.bz2 b/exim-4.74.tar.bz2 new file mode 100644 index 0000000..d8cc7ce --- /dev/null +++ b/exim-4.74.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e55b51c87e0be920f7f5aee830261566a4def8820f318d14a822fe2ae2ff8e40 +size 1588636 diff --git a/exim.changes b/exim.changes index 029e00b..9d91dbc 100644 --- a/exim.changes +++ b/exim.changes @@ -1,3 +1,103 @@ +------------------------------------------------------------------- +Fri Feb 4 19:33:40 UTC 2011 - lars@samba.org + +- update to 4.74 + - Failure to get a lock on a hints database can have serious + consequences so log it to the panic log. + - Log LMTP confirmation messages in the same way as SMTP, + controlled using the smtp_confirmation log selector. + - Include the error message when we fail to unlink a spool file. + - Bugzilla 139: Support dynamically loaded lookups as modules. + - Bugzilla 139: Documentation and portability issues. + Avoid GNU Makefile-isms, let Exim continue to build on BSD. + Handle per-OS dynamic-module compilation flags. + - Let /dev/null have normal permissions. + The 4.73 fixes were a little too stringent and complained about the + permissions on /dev/null. Exempt it from some checks. + - Report version information for many libraries, including + Exim version information for dynamically loaded libraries. Created + version.h, now support a version extension string for distributors + who patch heavily. Dynamic module ABI change. + - CVE-2011-0017 - check return value of setuid/setgid. This is a + privilege escalation vulnerability whereby the Exim run-time user + can cause root to append content of the attacker's choosing to + arbitrary files. + - Bugzilla 1041: merged DCC maintainer's fixes for return code. + - Bugzilla 1071: fix delivery logging with untrusted macros. + If dropping privileges for untrusted macros, we disabled normal logging + on the basis that it would fail; for the Exim run-time user, this is not + the case, and it resulted in successful deliveries going unlogged. +- update to 4.73 + - Date: & Message-Id: revert to normally being appended to a message, + only prepend for the Resent-* case. Fixes regression introduced in + Exim 4.70 by NM/22 for Bugzilla 607. + - Include check_rfc2047_length in configure.default because we're seeing + increasing numbers of administrators be bitten by this. + - Added DISABLE_DKIM and comment to src/EDITME + - Bugzilla 994: added openssl_options main configuration option. + - Bugzilla 995: provide better SSL diagnostics on failed reads. + - Bugzilla 834: provide a permit_coredump option for pipe transports. + - Adjust NTLM authentication to handle SASL Initial Response. + - If TLS negotiated an anonymous cipher, we could end up with SSL but + without a peer certificate, leading to a segfault because of an + assumption that peers always have certificates. Be a little more + paranoid. Problem reported by Martin Tscholak. + - Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content + filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes + NB: ClamAV planning to remove STREAM in "middle of 2010". + CL also introduces -bmalware, various -d+acl logging additions and + more caution in buffer sizes. + - Implemented reverse_ip expansion operator. + - Bugzilla 937: provide a "debug" ACL control. + - Bugzilla 922: Documentation dusting, patch provided by John Horne. + - Bugzilla 973: Implement --version. + - Bugzilla 752: Refuse to build/run if Exim user is root/0. + - Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. + - Bugzilla 816: support multiple condition rules on Routers. + - Add bool_lax{} expansion operator and use that for combining multiple + condition rules, instead of bool{}. Make both bool{} and bool_lax{} + ignore trailing whitespace. + - prevent non-panic DKIM error from being sent to paniclog + - added tcp_wrappers_daemon_name to allow host entries other than + "exim" to be used + - Fix malware regression for cmdline scanner introduced in PP/08. + Notification from Dr Andrew Aitchison. + - Change ClamAV response parsing to be more robust and to handle ClamAV's + ExtendedDetectionInfo response format. + Notification from John Horne. + - OpenSSL 1.0.0a compatibility const-ness change, should be backwards + compatible. + - Added a CONTRIBUTING file. Fixed the documentation build to use http: + XSL and documented dependency on system catalogs, with examples of how + it normally works. + - Added Valgrind hooks in store.c to help it capture out-of-bounds store + access. + - Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour + of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a + configuration file which is writeable by the Exim user or group. + - Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability + of configuration files to cover files specified with the -C option if + they are going to be used with root privileges, not just the default + configuration file. + - Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY + option (effectively making it always true). + - Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration + files to be used while preserving root privileges. + - Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure + that rogue child processes cannot use them. + - Bugzilla 1047: change the default for system_filter_user to be the Exim + run-time user, instead of root. + - Add WHITELIST_D_MACROS option to let some macros be overriden by the + Exim run-time user without dropping privileges. + - Remove use of va_copy() which breaks pre-C99 systems. Duplicate the + result string, instead of calling string_vformat() twice with the same + arguments. + - Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not + for other users. Others should always drop root privileges if they use + -C on the command line, even for a whitelisted configure file. + - Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes. + - Fixed bug #1002 - Message loss when using multiple deliveries + ------------------------------------------------------------------- Fri Feb 4 15:19:44 UTC 2011 - lars@samba.org diff --git a/exim.spec b/exim.spec index 8d3a999..2dafd9e 100644 --- a/exim.spec +++ b/exim.spec @@ -40,7 +40,7 @@ Provides: smtp_daemon Requires: logrotate PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils %endif -Version: 4.72 +Version: 4.74 Release: 3 %if %{?build_with_mysql:1}0 BuildRequires: mysql-devel @@ -58,8 +58,6 @@ Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exi Source30: eximstats-html-update.py Source31: eximstats.conf Patch: exim-4.12-tail.patch -Patch6: CVE-2010-4345.diff -Patch7: CVE-2011-0017.diff %if !%{?build_with_mysql:1}0 %package -n eximon @@ -126,8 +124,6 @@ Authors: %prep %setup -q -n exim-%{version} %patch -%patch6 -p1 -%patch7 -p1 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE"