diff options
author | Phil Pennock <pdp@exim.org> | 2011-01-21 03:56:02 -0500 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2011-01-21 03:56:02 -0500 |
commit | 1670ef10063d7708eb736a482d1ad25b9c59521d (patch) | |
tree | cc8ad240887f3dfa0f4f56b228e6d6bbcb376de3 /doc | |
parent | 6545de78cb822ab5db97a2f16fe7a42cc9488bd8 (diff) |
Check return values of setgid/setuid.
CVE-2011-0017
One assertion of the unimportance of checking the return value was wrong,
in the event of a compromised exim run-time user.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-txt/ChangeLog | 5 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 7 |
2 files changed, 11 insertions, 1 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ff375d398..a1bd4e7fc 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -32,6 +32,11 @@ PP/03 Report version information for many libraries, including version.h, now support a version extension string for distributors who patch heavily. Dynamic module ABI change. +PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a + privilege escalation vulnerability whereby the Exim run-time user + can cause root to append content of the attacker's choosing to + arbitrary files. + Exim version 4.73 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 8c8aeaa50..3a3ad5de5 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -12,7 +12,12 @@ the documentation is updated, this file is reduced to a short list. Version 4.74 ------------ - 1. Exim now supports loading some lookup types at run-time, using your + 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) + the flaw permitted the Exim run-time user to cause root to append to + arbitrary files of the attacker's choosing, with the content based + on content supplied by the attacker. + + 2. Exim now supports loading some lookup types at run-time, using your platform's dlopen() functionality. This has limited platform support and the intention is not to support every variant, it's limited to dlopen(). This permits the main Exim binary to not be linked against |