CVE-2020-28008: Assorted attacks in Exim's spool directory
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Sun, 14 Mar 2021 11:16:57 +0000 (12:16 +0100)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Tue, 27 Apr 2021 22:40:35 +0000 (00:40 +0200)
commitb05dc3573f4cd476482374b0ac0393153d344338
treeb49a495116f55c29d734ff14b482f2d0e895a06c
parent99d057fad97a2def9f000ebccda83e4008112819
CVE-2020-28008: Assorted attacks in Exim's spool directory

We patch dbfn_open() by introducing two functions priv_drop_temp() and
priv_restore() (inspired by OpenSSH's functions temporarily_use_uid()
and restore_uid()), which temporarily drop and restore root privileges
thanks to seteuid(). This goes against Exim's developers' wishes ("Exim
(the project) doesn't trust seteuid to work reliably") but, to the best
of our knowledge, seteuid() works everywhere and is the only way to
securely fix dbfn_open().

(cherry picked from commit 18da59151dbafa89be61c63580bdb295db36e374)
doc/doc-txt/ChangeLog
src/src/dbfn.c
test/stderr/0275
test/stderr/0278
test/stderr/0386
test/stderr/0388
test/stderr/0402
test/stderr/0403
test/stderr/0404
test/stderr/0408
test/stderr/0487