From 21aa05977abff1eaa69bb97ef99080220915f7c0 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 5 Jul 2019 15:38:15 +0100
Subject: Avoid re-expansion in ${sort }

---
 doc/doc-txt/ChangeLog      |  2 ++
 doc/doc-txt/cve-2019-13917 | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 doc/doc-txt/cve-2019-13917

(limited to 'doc')

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c1bbf2636..2e839039c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -147,6 +147,8 @@ JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
       requested.  Previously not bounce was generated and a log entry of
       error ignored was made.
 
+JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
+
 
 Exim version 4.92
 -----------------
diff --git a/doc/doc-txt/cve-2019-13917 b/doc/doc-txt/cve-2019-13917
new file mode 100644
index 000000000..fd94da8a4
--- /dev/null
+++ b/doc/doc-txt/cve-2019-13917
@@ -0,0 +1,46 @@
+CVE ID:     CVE-2019-13917
+OVE ID:     OVE-20190718-0006
+Date:       2019-07-18
+Credits:    Jeremy Harris
+Version(s): 4.85 up to and including 4.92
+Issue:      A local or remote attacker can execute programs with root
+            privileges - if you've an unusual configuration. See below.
+
+Conditions to be vulnerable
+===========================
+
+If your configuration uses the ${sort } expansion for items that can be
+controlled by an attacker (e.g. $local_part, $domain). The default
+config, as shipped by the Exim developers, does not contain ${sort }.
+
+Details
+=======
+
+The vulnerability is exploitable either remotely or locally and could
+be used to execute other programs with root privilege.  The ${sort }
+expansion re-evaluates its items.
+
+Mitigation
+==========
+
+Do not use ${sort } in your configuration.
+
+Fix
+===
+
+Download and build a fixed version:
+
+    Tarballs: http://ftp.exim.org/pub/exim/exim4/
+    Git:      https://github.com/Exim/exim.git
+              - tag    exim-4.92.1
+              - branch exim-4.92+fixes
+
+The tagged commit is the officially released version. The +fixes branch
+isn't officially maintained, but contains useful patches *and* the
+security fix.
+
+If you can't install the above versions, ask your package maintainer for
+a version containing the backported fix. On request and depending on our
+resources we will support you in backporting the fix.  (Please note,
+that Exim project officially doesn't support versions prior the current
+stable version.)
-- 
cgit v1.2.3