ArchLinux: 201711-32: exim: multiple issues
Summary
- CVE-2017-1000369 (denial of service)
An uncontrolled resource consumption flaw has been discovered in Exim
before 4.89.1. The use of multiple "-p" command line arguments which
are malloc()'ed and never free()'ed results in leaking memory. While
Exim itself is not vulnerable to privilege escalation, this particular
flaw can be used by the stackguard vulnerability to achieve privilege
escalation.
- CVE-2017-10140 (information disclosure)
It was found that Berkeley DB reads the DB_CONFIG configuration file
from the current working directory by default. This happens when
calling db_create() with dbenv=NULL; or using the dbm_open() function.
This behavior leads to a security vulnerability because in the case of
setuid or setgid commands, excerpts of the file are revealed to the
calling user (and maybe more harm could be done with specially crafted
DB_CONFIG files).
- CVE-2017-16943 (arbitrary code execution)
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88
and 4.89 allows remote attackers to execute arbitrary code or cause a
denial of service (use-after-free) via vectors involving BDAT commands.
- CVE-2017-16944 (denial of service)
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88
and 4.89 allows remote attackers to cause a denial of service (infinite
loop and stack exhaustion) via vectors involving BDAT commands and an
improper check for a '.' character signifying the end of the content,
related to the bdat_getc function.
Resolution
Upgrade to 4.89.1-1.
# pacman -Syu "exim>=4.89.1-1"
The problems have been fixed upstream in version 4.89.1.
References
https://bugs.archlinux.org/task/56478 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt https://git.exim.org/exim.git/commitdiff/65e061b76867a9ea7aeeb535341b790b90ae6c21 https://access.redhat.com/security/vulnerabilities/stackguard https://seclists.org/oss-sec/2017/q2/452 http://www.postfix.org/announcements/postfix-3.2.2.html https://git.exim.org/exim.git/commitdiff/98bf975ca462bebeaa1325d72381847c5118ff14 https://www.openwall.com/lists/oss-security/2017/11/25/2 https://bugs.exim.org/show_bug.cgi?id=2199 https://git.exim.org/exim.git/commitdiff/4090d62a4b25782129cc1643596dc2f6e8f63bde https://github.com/LetUsFsck/PoC-Exploit-Mirror/tree/master/CVE-2017-16944 https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html https://bugs.exim.org/show_bug.cgi?id=2201 https://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587dd542 https://www.exploit-db.com/exploits/43184 https://security.archlinux.org/CVE-2017-1000369 https://security.archlinux.org/CVE-2017-10140 https://security.archlinux.org/CVE-2017-16943 https://security.archlinux.org/CVE-2017-16944
Workaround
None.