Re: [exim-dev] Security issues in exim4 local delivery

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Dan Rosenberg
CC: pdp, exim-dev
Subject: Re: [exim-dev] Security issues in exim4 local delivery
[Resent from a list friendly address]

On 26 May 2010, at 19:01, Dan Rosenberg wrote:

> I just noticed the Bugzilla entries for these issues. I wanted to
> point out that the impact of the second bug is more than just
> creating empty files - because of the chmod() call, permissions on
> the victim's files may be changed.


Noted.

> That being said, I have yet to come across a system that uses MBX
> locking, with a dependency on /tmp, AND allows symlink following on
> /tmp. So I think it would be perfectly appropriate not to address
> the race condition in the code in favor of making it explicitly
> clear in the documentation that this particular combination of
> configurations is potentially unsafe.


> I'd like to publish an advisory for these issues, just in case any
> users are affected and don't follow Exim upstream carefully. I'll
> be sure to emphasize the somewhat low impact, which configurations
> are vulnerable, and mitigation strategies.


> Is there an idea of when 4.72 will be ready? Are there plans on
> addressing the MBX issue further?


I can't give a good answer to that.

Exim development is currently effectively dead. We are averaging
maybe one CVS commit a month (and worse, we are still = on CVS).

We currently have no one to manage a release (well one possible),
and no one volunteering to take on this work.

If there is no one else taking this on then I will build a release,
however I will also document it as being the last exim release as
the development community is unable to sustain further work, so the
only reasonable recommendation is for people to transition to a
mailer that has long term support.

    Nigel.


--
[ Nigel Metheringham             Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]




--
[ Nigel Metheringham             Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]