CVE-2014-2972
Published: 4 September 2014
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
Notes
Author | Note |
---|---|
mdeslaur | patch may introduce behaviour change |
Priority
Status
Package | Release | Status |
---|---|---|
exim4 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(4.76-3ubuntu3.3)
|
|
trusty |
Released
(4.82-3ubuntu2.1)
|
|
upstream |
Released
(4.82.1-2)
|
|
utopic |
Not vulnerable
(4.84~RC1-3ubuntu2)
|
|
vivid |
Not vulnerable
(4.84~RC1-3ubuntu2)
|
|
wily |
Not vulnerable
(4.84~RC1-3ubuntu2)
|
|
Patches: upstream: http://git.exim.org/exim.git/commit/7685ce68148a083d7759e78d01aa5198fc099c44 upstream: http://git.exim.org/exim.git/commit/0de7239e563eff6e83c3e72d7deb9fd26a54a3a7 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2972
- https://lists.exim.org/lurker/message/20140722.152452.d6c019e8.en.html
- https://lists.exim.org/lurker/message/20140722.145949.42c043f5.en.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136264.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136251.html
- https://ubuntu.com/security/notices/USN-2933-1
- NVD
- Launchpad
- Debian