------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1044 Summary: CVE-2010-4345 exim privilege escalation Product: Exim Version: N/A Platform: Other OS/Version: Linux Status: NEW Severity: bug Priority: medium Component: General execution AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] When EXIM is built without the ALT_CONFIG_ROOT_ONLY configuration option, the Exim user can create a config file with ${run...} directives that will be executed as root. It's a trivial privilege escalation. We should kill the !ALT_CONFIG_ROOT_ONLY behaviour, so that *only* the root user can specify arbitrary new configs on the command line with the -C option. For people who have a genuine need to use multiple parallel configs on the same machine, we need a way to "bless" the known configs. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
