Your message dated Sun, 25 Sep 2016 16:55:01 +0000
with message-id <[email protected]>
and subject line Bug#832442: fixed in exim4 4.88~RC1-1
has caused the Debian Bug report #832442,
regarding exim4: CVE-2016-1238 fix
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
832442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832442
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: exim4
Version: 4.87-3
Severity: important
Hi maintainer,
An update for this package has been released as part of our handling for
the issue described below. This fixes an instance of the dynamic module
loading vulnerability alluded to.
I attach the patch I applied for jessie; please could you review this
and apply something similar for sid?
Thanks,
Dominic.
----- Forwarded message from Salvatore Bonaccorso <[email protected]> -----
Date: Mon, 25 Jul 2016 14:18:38 +0000
From: Salvatore Bonaccorso <[email protected]>
To: [email protected]
Subject: [SECURITY] [DSA 3628-1] perl security update
-------------------------------------------------------------------------
Debian Security Advisory DSA-3628-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : perl
CVE ID : CVE-2016-1238 CVE-2016-6185
Debian Bug : 829578
Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2016-1238
John Lightsey and Todd Rinaldo reported that the opportunistic
loading of optional modules can make many programs unintentionally
load code from the current working directory (which might be changed
to another directory without the user realising) and potentially
leading to privilege escalation, as demonstrated in Debian with
certain combinations of installed packages.
The problem relates to Perl loading modules from the includes
directory array ("@INC") in which the last element is the current
directory ("."). That means that, when "perl" wants to load a module
(during first compilation or during lazy loading of a module in run-
time), perl will look for the module in the current directory at the
end, since '.' is the last include directory in its array of include
directories to seek. The issue is with requiring libraries that are
in "." but are not otherwise installed.
With this update several modules which are known to be vulnerable
are updated to not load modules from current directory.
Additionally the update allows configurable removal of "." from @INC
in /etc/perl/sitecustomize.pl for a transitional period. It is
recommended to enable this setting if the possible breakage for a
specific site has been evaluated. Problems in packages provided in
Debian resulting from the switch to the removal of '.' from @INC
should be reported to the Perl maintainers at
[email protected] .
It is planned to switch to the default removal of '.' in @INC in a
subsequent update to perl via a point release if possible, and in
any case for the upcoming stable release Debian 9 (stretch).
CVE-2016-6185
It was discovered that XSLoader, a core module from Perl to
dynamically load C libraries into Perl code, could load shared
library from incorrect location. XSLoader uses caller() information
to locate the .so file to load. This can be incorrect if
XSLoader::load() is called in a string eval. An attacker can take
advantage of this flaw to execute arbitrary code.
For the stable distribution (jessie), these problems have been fixed in
version 5.20.2-3+deb8u6. Additionally this update includes the
following updated packages to address optional module loading
vulnerabilities related to CVE-2016-1238, or to address build failures
which occur when '.' is removed from @INC:
- cdbs 0.4.130+deb8u1
- debhelper 9.20150101+deb8u2
- devscripts 2.15.3+deb8u1
- exim4 4.84.2-2+deb8u1
- libintl-perl 1.23-1+deb8u1
- libmime-charset-perl 1.011.1-1+deb8u2
- libmime-encwords-perl 1.014.3-1+deb8u1
- libmodule-build-perl 0.421000-2+deb8u1
- libnet-dns-perl 0.81-2+deb8u1
- libsys-syslog-perl 0.33-1+deb8u1
- libunicode-linebreak-perl 0.0.20140601-2+deb8u2
We recommend that you upgrade your perl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
----- End forwarded message -----
diff -Nru exim4-4.84.2/debian/changelog exim4-4.84.2/debian/changelog
--- exim4-4.84.2/debian/changelog 2016-03-13 17:45:53.000000000 +0000
+++ exim4-4.84.2/debian/changelog 2016-07-24 22:45:57.000000000 +0100
@@ -1,3 +1,10 @@
+exim4 (4.84.2-1+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload.
+ * eximstats: Remove . from @INC [CVE-2016-1238]
+
+ -- Dominic Hargreaves <[email protected]> Sun, 24 Jul 2016 22:35:48 +0100
+
exim4 (4.84.2-1) jessie-security; urgency=high
* New upstream security release.
diff -Nru exim4-4.84.2/debian/patches/90_CVE-2016-1238.diff exim4-4.84.2/debian/patches/90_CVE-2016-1238.diff
--- exim4-4.84.2/debian/patches/90_CVE-2016-1238.diff 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84.2/debian/patches/90_CVE-2016-1238.diff 2016-07-24 22:36:32.000000000 +0100
@@ -0,0 +1,11 @@
+--- a/src/eximstats.src 2016-07-24 22:29:53.000000000 +0100
++++ b/src/eximstats.src 2016-07-24 22:33:49.763365395 +0100
+@@ -550,6 +550,8 @@
+
+ =cut
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use integer;
+ use strict;
+ use IO::File;
diff -Nru exim4-4.84.2/debian/patches/series exim4-4.84.2/debian/patches/series
--- exim4-4.84.2/debian/patches/series 2016-03-13 17:45:53.000000000 +0000
+++ exim4-4.84.2/debian/patches/series 2016-07-24 22:34:36.000000000 +0100
@@ -18,3 +18,4 @@
87_Fix-transport-results-pipe-for-multiple-recipients-c.patch
89_01_only_warn_on_nonempty_environment.diff
89_02_Store-the-initial-working-directory.diff
+90_CVE-2016-1238.diff
--- End Message ---
--- Begin Message ---
Source: exim4
Source-Version: 4.88~RC1-1
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 25 Sep 2016 15:44:00 +0200
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy
eximon4 exim4-dbg exim4-daemon-light-dbg exim4-daemon-heavy-dbg exim4-dev
Architecture: source
Version: 4.88~RC1-1
Distribution: experimental
Urgency: low
Maintainer: Exim4 Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 823855 832442 834699
Description:
exim4-base - support files for all Exim MTA (v4) packages
exim4-config - configuration for the Exim MTA (v4)
exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA "heavy" daemon
exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including
exiscan-ac
exim4-daemon-light-dbg - debugging symbols for the Exim MTA "light" daemon
exim4-daemon-light - lightweight Exim MTA (v4) daemon
exim4-dbg - debugging symbols for the Exim MTA (utilities)
exim4-dev - header files for the Exim MTA (v4) packages
exim4 - metapackage to ease Exim MTA (v4) installation
eximon4 - monitor application for the Exim MTA (v4) (X11 interface)
Changes:
exim4 (4.88~RC1-1) experimental; urgency=low
.
* Drop reference to removed (in 4.80-7) "what"-option in init script usage
message. (Thanks, Calum Mackay!) Closes: #823855
* 92_CVE-2016-1238.diff: eximstats: Remove . from @INC [CVE-2016-1238]
Closes: #832442
* [lintian] update-exim4.conf.8 - fix typo.
* [lintian] Drop unused override binaries-have-file-conflict.
* B-d on default-libmysqlclient-dev.
* New upstream version.
+ Refresh patches: 31_eximmanpage.dpatch 32_exim4.dpatch 35_install.dpatch
50_localscan_dlopen.dpatch
+ Drop superfluous patches.
71_01_configure.default-nice-message-for-overlong-lines-Bu.patch
71_02_Delivery-quieten-smtp-transport-conn-reuse-vs.-deliv.patch
71_03_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
71_04_Avoid-exposing-passwords-in-log-on-failing-ldap-look.patch
+ Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
Closes: #834699
+ Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. LP: #1580454
* [lintian] exim4-config_files.5 - fix typo.
Checksums-Sha1:
9e5eee99457f06cdf8717c0727bb925660d48e52 3039 exim4_4.88~RC1-1.dsc
504a4d3fbe48aa8ec2c0d4a325a9f3e622b3dbc2 1805625 exim4_4.88~RC1.orig.tar.bz2
e71d2d918f3b0af1ad92a458f9b9471cd5bb1008 455 exim4_4.88~RC1.orig.tar.bz2.asc
a64c4e309d5920823c0b4e883ce679cb6b6813ca 442208 exim4_4.88~RC1-1.debian.tar.xz
Checksums-Sha256:
834ffcbd66a897ca28a5bf626936341916647e7a68676be3fe52485c5b058a52 3039
exim4_4.88~RC1-1.dsc
025362da42722a6f67204afc042641085ee17c5aee75ea06cc2f8c1e072e8630 1805625
exim4_4.88~RC1.orig.tar.bz2
4a5142d147e6cdce2c2e5dad96c8fc8d12300ef991e4c8e5763f27d3afed8d9b 455
exim4_4.88~RC1.orig.tar.bz2.asc
938e1ffde572597bd8d36442b8a73a1994dd83122e2e6152993a44fe1572adaf 442208
exim4_4.88~RC1-1.debian.tar.xz
Files:
76b15dc60b12525aa0463b8394755da1 3039 mail standard exim4_4.88~RC1-1.dsc
593c6a2338a7032c6c4063f823d0fef9 1805625 mail standard
exim4_4.88~RC1.orig.tar.bz2
b6633dc4d8ae66a1484397f82c36e9b1 455 mail standard
exim4_4.88~RC1.orig.tar.bz2.asc
ac913070da6b31d71a787b502ffa05b0 442208 mail standard
exim4_4.88~RC1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX59dQAAoJEKVPAYVDghSESyYQAJsGMqhO9YO6gVd9MQ92kOP3
9YLO/48SoFvVpxdUXkJNhAPBqWWUD0ezrVupIk3UhISXi6AfN5aHq9fhiJjuFi1c
HTfeBrfJi4JhF4c0x1Qa8xy1aywK/K31XOVf8rUKAWMyVDE9AWRjA22KSVpKRE07
0fVTFFaYhZr+UR0udDThfHMgAoJvEh06Y4KL+YAGTdUV+NGZEZ0fwBBAKvrLLA3+
3PIWq460qvf+bPliDgZiJBGRRCf/VJii96gnfOTSMIll1uhPELyp9eTvk0CxEyna
+Sj6d4rWM4rDIRK2m6tE/2fJCtZ1+MpSMCreZe1AKvTX1znJk60z7dA3YGXg3Dt9
elPKOA/HwRxE2fGhrdxdNNOsT5bCgpzTsrWggcNKyGw9q3J4eK5yE1vCCE9uMA7G
C5jPSupZrVZaDIbmJVtw+M/JxWzS6qXazwfQoeosdJxxFWY1SQA/u6+XzLgpziIm
qIuiMk0sC1n7EzfvNEcTObqaKvdo6bRFObGJiTOc8I9mOQX3oesALc9DY2JSaArb
fvll6bpQnuIF2aB80MZBaNFcJlcugaqAYcDjIaXaJkb6PLc0Up1SpJpEnEU+UAcv
VRcvhKSP0rDcyYwH6Gb6g3OCOqIzc+SThJjzRc33hmwL6/1rIJWcDEJrYkunzk2O
wiDF29NILVEyksu5wqf5
=TfKH
-----END PGP SIGNATURE-----
--- End Message ---
