CVE-2016-1531

Publication date 2 March 2016

Last updated 24 July 2024

Ubuntu priority

Why this priority?

Cvss 3 Severity Score

Score breakdown

Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
exim4	15.10 wily	Fixed 4.86-3ubuntu1.1
	14.04 LTS trusty	Fixed 4.82-3ubuntu2.1
	12.04 LTS precise	Fixed 4.76-3ubuntu3.3

Notes

mdeslaur

patches introduce behaviour change that my break existing setups must also ship two follow-up patches: 1- Don't issue env warning if env is empty 2- Store the initial working directory

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
exim4	Upstream: http://git.exim.org/exim.git/commitdiff/451686a85b4706616f8233a6ac306318f7a56cf6 Upstream: http://git.exim.org/exim.git/commitdiff/43ba2742c700d625dcdcdaf7bbadc2f72776854a Upstream: http://git.exim.org/exim.git/commitdiff/677c582e4da6b30f5467964bbd105c111247df25 Upstream: http://git.exim.org/exim.git/commitdiff/dd90c19962a63fe966e17c75b4a36639302d1e67 Upstream: http://git.exim.org/exim.git/commitdiff/29f9808015576a9a1f391f4c6b80c7c606a4d99f Upstream: http://git.exim.org/exim.git/commitdiff/451686a85b4706616f8233a6ac306318f7a56cf6 Upstream: http://git.exim.org/exim.git/commitdiff/fec27df097c8d16b4decfc62bc83bf873e58f310 Upstream: http://git.exim.org/exim.git/commitdiff/ce0cc17e69f8018341c65618aa87cdff3f329074 Upstream: http://git.exim.org/exim.git/commitdiff/f1ff8cb17d215a94986d0bc9e8bd4bec73333838 Upstream: http://git.exim.org/exim.git/commitdiff/d468a0d66b02f64fedb46f469b7ccd1d435ec3c7 Upstream: http://git.exim.org/exim.git/commitdiff/f45c29ba620887d79271d568dca5f404e52573cb Upstream: http://git.exim.org/exim.git/commitdiff/ccd579237ce83e2c72ea2fa8fe4d7161f8a58453

Package

Patch details

exim4

Severity score breakdown

Parameter	Value
Base score	7.0 · High
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-2933-1
Exim vulnerabilities
15 March 2016

CVE-2016-1531

Cvss 3 Severity Score

Status

Notes

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references