To: distros@vs.openwall.org, exim-maintainers@exim.org
From: [ do not use a dmarc protected sender ]

** EMBARGO *** This information is not public yet.

CVE ID:     CVE-2019-13917
OVE ID:     OVE-20190718-0006
Date:       2019-07-18
Credits:    Jeremy Harris
Version(s): 4.85 up to and including 4.92
Issue:      A local or remote attacker can execute programs with root
            privileges - if you've an unusual configuration. For details
	    see below.

Contact:    exim-security@exim.org

Proposed Timeline
=================

t0: NOW
    - this notice to distros@vs.openwall.org and exim-maintainers@exim.org
    - open limited access to our security Git repo. See below.

t0+~4d: Mon Jul 22 10:00:00 UTC 2019
    - head-up notice to oss-security@lists.openwall.com,
      exim-users@exim.org, and exim-announce@exim.org

t0+~7d: Thu Jul 25 10:00:00 UTC 2019
    - Coordinated relase date
    - publish the patches in our official and public Git repositories
      and the packages on our FTP server.

Downloads
=========

For release tarballs (exim-4.92.1):

    git clone --depth 1 ssh://git@exim.org/exim-packages

The package files are signed with my GPG key.

For the full Git repo:

    git clone ssh://git@exim.org/exim
    - tag    exim-4.92.1
    - branch exim-4.92+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key.  The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit
is signed with my GPG key.

If you need help backporting the patch, please contact us directly.

Conditions to be vulnerable
===========================

If your configuration uses the ${sort } expansion for items that can be
controlled by an attacker (e.g. $local_part, $domain). The default
config, as shipped by the Exim developers, does not contain ${sort }.

Details
=======

The vulnerability is exploitable either remotely or locally and could
be used to execute other programs with root privilege.  The ${sort }
expansion re-evaluates its items.

Mitigation
==========

Do not use ${sort } in your configuration.
