Hello,
On Wed, Sep 11, 2019 at 12:25:52PM +0100, Conrad Wood wrote:
Hope I'm not hijacking - but it seems like a good
point. In default
debian Exim doesn't run as root. For example: my exim (on debian) runs
as user Debian-exim.
Yes, the part that accepts data from the Internet drops privileges
to Debian-exim as soon as it's opened the port.
But this exploit doesn't make that process do anything that it's not
expected to do. It writes bad data into a spool file which is later
processed by code that is running as root:
https://github.com/Exim/exim/blob/master/doc/doc-txt/cve-2019-15846/qualys.…
The Exim queue runner process runs as root the whole time it is
running, but that is only periodically. The Exim local delivery
process starts as root but once it's determined which user it needs
to deliver as it does fork a sub-process that drops privilege.
See "2. Root privilege"
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_consi…
As far as I am aware every Exim ever released that is configured to
do TLS and deliver locally is vulnerable to remote root compromise
by this bug.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting