Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.…

Top Page

Reply to this message
Author: Dean Brooks
To: 'Exim-Users'
Subject: Re: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
So, um, this is going to blow up into a thing pretty quickly.

Are there *no* workarounds for the root escalation issue if perl_startup is in use, other than upgrading? Is there any sort of way to mitigate this issue, even temporarily through any sort of configuration?

Dean Brooks

-----Original Message-----
From: Exim-users [] On Behalf Of Heiko Schlittermann
Sent: Wednesday, March 2, 2016 2:10 PM
To: exim-maintainers <exim-maintainers@???>; exim-dev <exim-dev@???>; Exim-Users <exim-users@???>
Subject: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5


We just released:

    Version             Git tag
    Exim 4.84.2         exim-4_84_2
    Exim 4.85.2         exim-4_85_2
    Exim 4.86.2         exim-4_86_2
    Exim 4.87 RC 5      exim-4_87_RC5

(It's an updated version of 4.8{4,5,6}.1, fixing minor portability issues for *BSD and OS/X).

The known download area contains packed tarballs. The tarballs for fixed older versions (4.84.2, 4.85.2) are below the old/ directory.

Every tarball and the relevant commits and tags are signed with my GPG key (as used for signing this mail).

Security fix for CVE-2016-1531

All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally *any* user) can gain root privileges. If you do not use 'perl_startup' you *should* be safe.

New options

We had to introduce two new configuration options:

    keep_environment =
    add_environment =

Both options are empty per default. That is, Exim cleans the complete environment on startup. This affects Exim itself and any subprocesses, as transports, that may call other programs via some alias mechanisms, as routers (queryprogram), lookups, and so on. This may affect used libraries (e.g. LDAP).

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning on startup. This warning disappears if at least one of these options is used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.

    keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

    add_environment = <; PATH=/sbin:/usr/sbin

New behaviour

Now Exim changes it's working directory to / right after startup, even before reading it's configuration. (Later Exim changes it's working directory to $spool_directory, as usual.)

Exim only accepts an absolute configuration file path now, when using the -C option.

Thank you for your understanding.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- ---------------------------- internet & unix support -  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -  gnupg encrypted messages are welcome --------------- key ID: F69376CE -  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -