Arch Linux Security Advisory ASA-201711-32 ========================================== Severity: Critical Date : 2017-11-30 CVE-ID : CVE-2017-1000369 CVE-2017-10140 CVE-2017-16943 CVE-2017-16944 Package : exim Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-518 Summary ======= The package exim before version 4.89.1-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and information disclosure. Resolution ========== Upgrade to 4.89.1-1. # pacman -Syu "exim>=4.89.1-1" The problems have been fixed upstream in version 4.89.1. Workaround ========== None. Description =========== - CVE-2017-1000369 (denial of service) An uncontrolled resource consumption flaw has been discovered in Exim before 4.89.1. The use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed results in leaking memory. While Exim itself is not vulnerable to privilege escalation, this particular flaw can be used by the stackguard vulnerability to achieve privilege escalation. - CVE-2017-10140 (information disclosure) It was found that Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default. This happens when calling db_create() with dbenv=NULL; or using the dbm_open() function. This behavior leads to a security vulnerability because in the case of setuid or setgid commands, excerpts of the file are revealed to the calling user (and maybe more harm could be done with specially crafted DB_CONFIG files). - CVE-2017-16943 (arbitrary code execution) The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. - CVE-2017-16944 (denial of service) The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. Impact ====== A remote attacker is able to crash the application or execute arbitrary code on the affected host. A local attacker is able to bypass access restrictions to obtain sensitive data from local files or bypass the stack guard to elevate privileges on the system. References ========== https://bugs.archlinux.org/task/56478 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt https://git.exim.org/exim.git/commitdiff/65e061b76867a9ea7aeeb535341b790b90a... https://access.redhat.com/security/vulnerabilities/stackguard http://seclists.org/oss-sec/2017/q2/452 http://www.postfix.org/announcements/postfix-3.2.2.html https://git.exim.org/exim.git/commitdiff/98bf975ca462bebeaa1325d72381847c511... http://openwall.com/lists/oss-security/2017/11/25/2 https://bugs.exim.org/show_bug.cgi?id=2199 https://git.exim.org/exim.git/commitdiff/4090d62a4b25782129cc1643596dc2f6e8f... https://github.com/LetUsFsck/PoC-Exploit-Mirror/tree/master/CVE-2017-16944 https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html https://bugs.exim.org/show_bug.cgi?id=2201 https://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587... https://www.exploit-db.com/exploits/43184/ https://security.archlinux.org/CVE-2017-1000369 https://security.archlinux.org/CVE-2017-10140 https://security.archlinux.org/CVE-2017-16943 https://security.archlinux.org/CVE-2017-16944