CVE-2011-0017
published 2011-02-02CVE-2011-0017: The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to…
PriorityP421medium6.9CVSS 2.0
AVLACMAuNCCICAC
EPSS
0.38%
29.7th percentile
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
Affected
68 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.72-4 (bookworm) | exim4 4.72-4 (bookworm) |
| exim | exim | <= 4.72 | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_redhat7.5HIGH
vendor_debian6.9MEDIUM
vendor_ubuntu4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
vendor_redhat·2012-01-06·CVSS 7.5
CVE-2011-3919 [HIGH] CWE-122 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
Heap-based buffer overflow in libxml2, as used in Google Chrome before 16.0.912.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Statement: This issue affected the versions of libxml2 as shipped with Red Hat Enterprise Linux 4, 5 and 6 and has been addressed via RHSA-2012:0016, RHSA-2012:0017 and RHSA-2012:0018 respectively.
Red Hat
libxml2 out of bounds read
vendor_redhat·2011-12-13·CVSS 5.0
CVE-2011-3905 [MEDIUM] CWE-125 libxml2 out of bounds read
libxml2 out of bounds read
libxml2, as used in Google Chrome before 16.0.912.63, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Statement: This issue affects the version of libxml2 as shipped with Red Hat Enterprise
Linux 4, 5 and 6 and has been addressed via RHSA-2012:0016, RHSA-2012:0017 and
RHSA-2012:0018 respectively. This issue affects the version of mingw32-libxml2
as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team
has rated this issue as having low security impact. A future update may address
this issue in Red Hat Enterprise Linux 6.
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2011-02-10·CVSS 4.4
CVE-2010-2023 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
It was discovered that Exim contained a design flaw in the way it processed
alternate configuration files. An attacker that obtained privileges of the
"Debian-exim" user could use an alternate configuration file to obtain
root privileges. (CVE-2010-4345)
It was discovered that Exim incorrectly handled certain return values when
handling logging. An attacker that obtained privileges of the "Debian-exim"
user could use this flaw to obtain root privileges. (CVE-2011-0017)
Dan Rosenberg discovered that Exim incorrectly handled writable sticky-bit
mail directories. If Exim were configured in this manner, a local user
could use this flaw to cause a denial of service or possibly gain
privileges. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10,
and 10.04 L
Red Hat
Exim: privilege escalation
vendor_redhat·2011-01-25·CVSS 6.9
CVE-2011-0017 [MEDIUM] Exim: privilege escalation
Exim: privilege escalation
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
Package: exim (Red Hat Enterprise Linux 4) - Will not fix
Package: exim (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2011-0017: exim4 - The open_log function in log.c in Exim 4.72 and earlier does not check the retur...
vendor_debian·2011·CVSS 6.9
CVE-2011-0017 [MEDIUM] CVE-2011-0017: exim4 - The open_log function in log.c in Exim 4.72 and earlier does not check the retur...
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
Scope: local
bookworm: resolved (fixed in 4.72-4)
bullseye: resolved (fixed in 4.72-4)
forky: resolved (fixed in 4.72-4)
sid: resolved (fixed in 4.72-4)
trixie: resolved (fixed in 4.72-4)
GHSA
GHSA-6w36-rjfw-vf62: The open_log function in log
ghsa_unreviewed·2022-05-17
CVE-2011-0017 [MEDIUM] CWE-20 GHSA-6w36-rjfw-vf62: The open_log function in log
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
OSV
CVE-2011-0017: The open_log function in log
osv·2011-02-02·CVSS 6.9
CVE-2011-0017 [MEDIUM] CVE-2011-0017: The open_log function in log
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-0017 Exim: privilege escalation
bugzilla·2011-01-19·CVSS 6.9
CVE-2011-0017 [MEDIUM] CVE-2011-0017 Exim: privilege escalation
CVE-2011-0017 Exim: privilege escalation
The exim setuid executable contains unchecked setuid() calls. If an
attacker is able to exceed the exim user's resource limits, the setuid()
call could fail, preventing the executable from dropping root privileges.
If an attacker gains access to the exim user (via another exploit), they
could potentially overwrite arbitrary system files with a symlink. The
files would contain an email message, which could potentially be used to execute arbitrary code as root.
Discussion:
Acknowledgements:
Red Hat would like to thank Phil Pennock for reporting this issue.
---
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0017 to
the following vulnerability:
Name: CVE-2011-0017
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-
Bugzilla
CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6]
bugzilla·2010-12-03·CVSS 6.2
CVE-2010-4258 [MEDIUM] CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6]
CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6]
Confirmed that patch has been added to latest kernel-2.6.18-238.el5.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2011-0017.html
Bugzilla
CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
bugzilla·2010-09-13·CVSS 2.1
CVE-2010-3296 [LOW] CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
Description of problem:
http://lkml.org/lkml/2010/9/11/170
The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user.
Acknowledgements:
Red Hat would like to thank Dan Rosenberg for reporting this issue.
Discussion:
This commit
49c37c0334a9b85d30ab3d6b5d1acb05ef2ef6de
in David Miller's net-2.6 git repo
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
---
This issue has been addressed
ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.htmlhttp://osvdb.org/70696http://secunia.com/advisories/43101http://secunia.com/advisories/43128http://secunia.com/advisories/43243http://www.debian.org/security/2011/dsa-2154http://www.securityfocus.com/bid/46065http://www.ubuntu.com/usn/USN-1060-1http://www.vupen.com/english/advisories/2011/0224http://www.vupen.com/english/advisories/2011/0245http://www.vupen.com/english/advisories/2011/0364http://www.vupen.com/english/advisories/2011/0464https://exchange.xforce.ibmcloud.com/vulnerabilities/65028ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.htmlhttp://osvdb.org/70696http://secunia.com/advisories/43101http://secunia.com/advisories/43128http://secunia.com/advisories/43243http://www.debian.org/security/2011/dsa-2154http://www.securityfocus.com/bid/46065http://www.ubuntu.com/usn/USN-1060-1http://www.vupen.com/english/advisories/2011/0224http://www.vupen.com/english/advisories/2011/0245http://www.vupen.com/english/advisories/2011/0364http://www.vupen.com/english/advisories/2011/0464https://exchange.xforce.ibmcloud.com/vulnerabilities/65028
2011-02-02
Published