National Cyber Awareness System

Vulnerability Summary for CVE-2010-2024

Overview

transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25&r2=1.26

Type: Patch Information

Hyperlink:http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25&r2=1.26

External Source: CONFIRM

Name: http://bugs.exim.org/show_bug.cgi?id=989

Type: Patch Information

Hyperlink:http://bugs.exim.org/show_bug.cgi?id=989

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=600097

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=600097

External Source: XF

Name: exim-mbx-symlink(59042)

Hyperlink:http://xforce.iss.net/xforce/xfdb/59042

External Source: VUPEN

Name: ADV-2011-0364

Hyperlink:http://www.vupen.com/english/advisories/2011/0364

External Source: VUPEN

Name: ADV-2010-1402

Hyperlink:http://www.vupen.com/english/advisories/2010/1402

External Source: UBUNTU

Name: USN-1060-1

Hyperlink:http://www.ubuntu.com/usn/USN-1060-1

External Source: BID

Name: 40454

Hyperlink:http://www.securityfocus.com/bid/40454

External Source: BUGTRAQ

Name: 20100603 Multiple vulnerabilities in Exim

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/511653/100/0/threaded

External Source: CONFIRM

Name: http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup&pathrev=exim-4_72_RC2

Hyperlink:http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup&pathrev=exim-4_72_RC2

External Source: SECUNIA

Name: 43243

Hyperlink:http://secunia.com/advisories/43243

External Source: SECUNIA

Name: 40123

Hyperlink:http://secunia.com/advisories/40123

External Source: SECUNIA

Name: 40019

Type: Advisory

Hyperlink:http://secunia.com/advisories/40019

External Source: SUSE

Name: SUSE-SR:2010:014

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html

External Source: FEDORA

Name: FEDORA-2010-9524

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042613.html

External Source: FEDORA

Name: FEDORA-2010-9506

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042587.html

External Source: MLIST

Name: [exim-dev] 20100524 Security issues in exim4 local delivery

Hyperlink:http://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html

External Source: FULLDISC

Name: 20100603 Multiple vulnerabilities in Exim

Hyperlink:http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0079.html