On 2016-09-11 Jeremy Harris <[email protected]> wrote: > On 11/09/16 15:32, Andreas Metzler wrote: > > was there a thread or a bug report about > > http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ ?
> No idea. I assume you searched? Hello, Did not find anything on bugzilla, I thought there might have been other channels I missed. > If not, is it repeatable with current HEAD? The issue was reproduced on Ubuntu https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/ against 4.86.2, the example exploit did not fully work for me with 4.87, I therefore did not yet try against HEAD. It managed chown /lib/x86_64-linux-gnu/libpam.so.0.83.1 to exim-user:exim-user, though. > And... is that > repeat-by relying on the writability of a library directory > by an unpriv process? /lib/x86_64-linux-gnu/ is 0755 root:root. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
