Exim Privilege Escalation Vulnerability via Logrotate Symlink Following

A vulnerability in the Exim package's logrotate configuration allows for privilege escalation from the mail user/group to root. This issue affects openSUSE Tumbleweed versions prior to 4.98.2-lp156.248.1. The vulnerability arises because the logrotate script can be manipulated to create files with root privileges in an arbitrary location, exploiting the way Exim's weekly report is generated.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a user to gain root access.

Reproduction

The vulnerability can be reproduced by enabling the EXIM_REPORT_WEEKLY option in the Exim configuration. Once this option is active, the logrotate script will run with root privileges. A race condition can be exploited by the mail user to replace the report file with a symlink before the 'gzip' command is executed, leading to a local information leak.

Remediation

The logrotate configuration has been updated to create the weekly report in a temporary directory, which is then moved to the appropriate location. This fix is available in the Exim package on the openSUSE Build Service.