On 2016-09-11 Jeremy Harris <jgh@???> wrote:
> On 11/09/16 15:32, Andreas Metzler wrote:
> > was there a thread or a bug report about
> > http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ ?
> No idea. I assume you searched?
Hello,
Did not find anything on bugzilla, I thought there might have been other
channels I missed.
> If not, is it repeatable with current HEAD?
The issue was reproduced on Ubuntu
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/ against
4.86.2, the example exploit did not fully work for me with 4.87, I
therefore did not yet try against HEAD.
It managed chown /lib/x86_64-linux-gnu/libpam.so.0.83.1 to
exim-user:exim-user, though.
> And... is that
> repeat-by relying on the writability of a library directory
> by an unpriv process?
/lib/x86_64-linux-gnu/ is 0755 root:root.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
