To: distros@vs.openwall.org, exim-maintainers@exim.org From: [ do not use a dmarc protected sender ] ** EMBARGO *** This information is not public yet. CVE ID: CVE-2019-13917 OVE ID: OVE-20190718-0006 Date: 2019-07-18 Credits: Jeremy Harris Version(s): 4.85 up to and including 4.92 Issue: A local or remote attacker can execute programs with root privileges - if you've an unusual configuration. For details see below. Contact: exim-security@exim.org Proposed Timeline ================= t0: NOW - this notice to distros@vs.openwall.org and exim-maintainers@exim.org - open limited access to our security Git repo. See below. t0+~4d: Mon Jul 22 10:00:00 UTC 2019 - head-up notice to oss-security@lists.openwall.com, exim-users@exim.org, and exim-announce@exim.org t0+~7d: Thu Jul 25 10:00:00 UTC 2019 - Coordinated relase date - publish the patches in our official and public Git repositories and the packages on our FTP server. Downloads ========= For release tarballs (exim-4.92.1): git clone --depth 1 ssh://git@exim.org/exim-packages The package files are signed with my GPG key. For the full Git repo: git clone ssh://git@exim.org/exim - tag exim-4.92.1 - branch exim-4.92+fixes The tagged commit is the officially released version. The tag is signed with my GPG key. The +fixes branch isn't officially maintained, but contains useful patches *and* the security fix. The relevant commit is signed with my GPG key. If you need help backporting the patch, please contact us directly. Conditions to be vulnerable =========================== If your configuration uses the ${sort } expansion for items that can be controlled by an attacker (e.g. $local_part, $domain). The default config, as shipped by the Exim developers, does not contain ${sort }. Details ======= The vulnerability is exploitable either remotely or locally and could be used to execute other programs with root privilege. The ${sort } expansion re-evaluates its items. Mitigation ========== Do not use ${sort } in your configuration.