Re: [exim-dev] [exim-announce] CVE-2019-13917

Top Page

Reply to this message
Author: Fabian Groffen
To: exim-dev
CC: Jeremy Harris
Subject: Re: [exim-dev] [exim-announce] CVE-2019-13917

Is there an ETA for the sources to appear on the download servers?
I need those in order to update the package for Gentoo.


On 25-07-2019 10:04:19 +0100, Jeremy Harris via Exim-announce wrote:
> General release information
> ===========================
> The code fix for this issue has been placed in the project
> public git repository; the project website will be updated
> in due course.
> CVE ID:     CVE-2019-13917
> OVE ID:     OVE-20190718-0006
> Date:       2019-07-18
> Credits:    Jeremy Harris
> Version(s): 4.85 up to and including 4.92
> Issue:      A local or remote attacker can execute programs with root
>             privileges - if you've an unusual configuration. For details
>             see below.

> Coordinated Release Date (CRD) for Exim 4.92.1:
>             Thu Jul 25 10:00:00 UTC 2019

> Contact:    security@???

> Details:
> A vulnerability was discovered in the "sort" expansion operator:
> The elements of the list were expanded, giving a possible attack
> if the list included data supplied by an attacker.
> If the effective configuration file for exim does not use sort
> then the system is trivially declarable as not being vulnerable.
> Use this command to check: "exim -bP config | grep sort".
> --
> Cheers,
> Jeremy

Fabian Groffen
Gentoo on a different level