Date: 18 September 2003
References: ESB-2003.0649 ESB-2003.0651 ESB-2003.0662 ESB-2003.0671 ESB-2003.0674 ESB-2003.0676 ESB-2003.0688 ESB-2003.0691 ESB-2003.0694 ESB-2003.0701
ESB-2003.0706 ESB-2003.0759 ESB-2003.0770 ESB-2003.0777 ESB-2003.0805 ESB-2004.0142 ESB-2003.0833 ESB-2003.0834 ESB-2003.0862
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.17 -- AUSCERT ALERT
Sendmail prescan() buffer overflow vulnerability
sendmail 8.12.10 available
18 September 2003
===========================================================================
AusCERT Alert Summary
---------------------
Product: Sendmail prior to 8.12.10
Publisher: Sendmail Consortium
Impact: Root Compromise
Denial of Service
Access Required: Remote
Due to the severity of this vulnerability, AusCERT is releasing this
information as an AusCERT Alert. AusCERT recommends that sites either
upgrade to sendmail 8.12.10 or apply the patch as described in the
bulletin below.
AusCERT will continue to monitor this vulnerability and any exploit
activity. AusCERT members will be updated as information becomes
available.
Please note - this vulnerability is different than those described in
AL-2003.05 (CVE Names: CAN-2003-0161) and ESB-2003.0134 (CVE Name:
CAN-2002-1337)
For further information see:
http://www.sendmail.org/8.12.10.html
http://www.kb.cert.org/vuls/id/784980
http://www.sendmail.org/parse8.359.2.8.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.10. It contains a fix for a security problem
discovered by Michal Zalewski whom we thank for bringing this problem
to our attention. We also want to thank Todd C. Miller for providing
a patch. sendmail 8.12.10 also includes fixes for other potential
problems, see the release notes below for more details. Sendmail
urges all users to either upgrade to sendmail 8.12.10 or apply a
patch which is part of this announcement. Remember to check the
PGP signatures of patches or releases obtained via FTP or HTTP (to
check the correctness of the patch in this announcement please
verify the PGP signature of it). For those not running the open
source version, check with your vendor for a patch.
For a complete list of changes see the release notes down below.
Please send bug reports to sendmail-bugs@sendmail.org as usual.
Please send security reports to sendmail-security@sendmail.org using
PGP encryption.
Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the
tar file, we sign the compressed/gzip'ed files, so you do not need
to uncompress the file before checking the signature.
This version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z.sig
and the usual mirror sites.
MD5 signatures:
393f5d09d462f522c8288363870b2b42 sendmail.8.12.10.tar.gz
345042839dec70f0a0b5aaeafcf3a0e3 sendmail.8.12.10.tar.gz.sig
36b2b74577a96f79c242ff036321c2ff sendmail.8.12.10.tar.Z
1b9cd61e1342207148d950feafab0f07 sendmail.8.12.10.tar.Z.sig
You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
.sig file. The PGP signature was created using the Sendmail Signing
Key/2003, available on the web site (http://www.sendmail.org/) or
on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1340.2.165 2003/09/16 20:50:42 ca Exp $
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.12.10/8.12.10 2003/09/24
SECURITY: Fix a buffer overflow in address parsing. Problem
detected by Michal Zalewski, patch from Todd C. Miller
of Courtesan Consulting.
Fix a potential buffer overflow in ruleset parsing. This problem
is not exploitable in the default sendmail configuration;
only if non-standard rulesets recipient (2), final (4), or
mailer-specific envelope recipients rulesets are used then
a problem may occur. Problem noted by Timo Sirainen.
Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength.
Problem noted by Thomas Schulz.
Add several checks to avoid (theoretical) buffer over/underflows.
Properly count message size when performing 7->8 or 8->7 bit MIME
conversions. Problem noted by Werner Wiethege.
Properly compute message priority based on size of entire message,
not just header. Problem noted by Axel Holscher.
Reset SevenBitInput to its configured value between SMTP
transactions for broken clients which do not properly
announce 8 bit data. Problem noted by Stefan Roehrich.
Set {addr_type} during queue runs when processing recipients.
Based on patch from Arne Jansen.
Better error handling in case of (very unlikely) queue-id conflicts.
Perform better error recovery for address parsing, e.g., when
encountering a comment that is too long. Problem noted by
Tanel Kokk, Union Bank of Estonia.
Add ':' to the allowed character list for bogus HELO/EHLO
checking. It is used for IPv6 domain literals. Patch from
Iwaizako Takahiro of FreeBit Co., Ltd.
Reset SASL connection context after a failed authentication attempt.
Based on patch from Rob Siemborski of CMU.
Check Berkeley DB compile time version against run time version
to make sure they match.
Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled
in the kernel.
When a milter adds recipients and one of them causes an error,
do not ignore the other recipients. Problem noted by
Bart Duchesne.
CONFIG: Use specified SMTP error code in mailertable entries which
lack a DSN, i.e., "error:### Text". Problem noted by
Craig Hunt.
CONFIG: Call Local_trust_auth with the correct argument. Patch
from Jerome Borsboom.
CONTRIB: Better handling of temporary filenames for doublebounce.pl
and expn.pl to avoid file overwrites, etc. Patches from
Richard A. Nelson of Debian and Paul Szabo.
MAIL.LOCAL: Fix obscure race condition that could lead to an
improper mailbox truncation if close() fails after the
mailbox is fsync()'ed and a new message is delivered
after the close() and before the truncate().
MAIL.LOCAL: If mail delivery fails, do not leave behind a
stale lockfile (which is ignored after the lock timeout).
Patch from Oleg Bulyzhin of Cronyx Plus LLC.
Portability:
Port for AIX 5.2. Thanks to Steve Hubert of University
of Washington for providing access to a computer
with AIX 5.2.
setreuid(2) works on OpenBSD 3.3. Patch from
Todd C. Miller of Courtesan Consulting.
Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH
on all operating systems. Patch from Robert Harker
of Harker Systems.
Use strerror(3) on Linux. If this causes a problem on
your Linux distribution, compile with
-DHASSTRERROR=0 and tell sendmail.org about it.
Added Files:
devtools/OS/AIX.5.2
Instructions to extract and apply the patch for sendmail:
Store the data between "========= begin patch ========" and "=========
end patch ==========" into a file called "/PATH/TO/patch.sm" (replace
"/PATH/TO" with a path of your choice) and apply the following
command in the sendmail-VERSION/sendmail/ directory (note: if you
have a really old version then cd to sendmail-VERSION/src/)
patch < /PATH/TO/patch.sm
You should also edit the file version.c and change the version
number to indicate that you changed sendmail. We suggest to add the
date, e.g., change "8.12.9" to "8.12.9-20030924". Then recompile
sendmail, install the new binary, and restart the daemon.
========= begin patch ========
diff -u -r8.359.2.8 parseaddr.c
- - --- parseaddr.c 3 Apr 2003 16:20:54 -0000 8.359.2.8
+++ parseaddr.c 16 Sep 2003 18:06:22 -0000
@@ -700,7 +700,11 @@
addr[MAXNAME] = '\0';
returnnull:
if (delimptr != NULL)
+ {
+ if (p > addr)
+ --p;
*delimptr = p;
+ }
CurEnv->e_to = saveto;
return NULL;
}
========= end patch ==========
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (OpenBSD)
iQCVAwUBP2iCMCGD4bE5bweJAQEMEAQAmUIObksnrvumniaX6zaw/iJ4ACQcsGpj
Ev2BT0ZsRwqy9cC9PKKySvcHbTw2dR/RAdEnASM4jrIGewAuOVzFv0AhELvw2wF+
c0brwXUqCuczODnDClB3tjNXozzobCGf44xGkOqZXb5F+J3KjBiIVtnE2PtQtW4i
PAq/SXLSihA=
=NkDA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation's site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP2jVKih9+71yA2DNAQEQtAP/bmK3/xHeJbsL+XrcuHTHJ6/KXEacPEZl
qnGR2bo6Z9UMRqChli1yxSlbiLro0OanbZN5B4tK/KfrKm9LE8WQH242qP+9QWXB
NrmPXGf5i/pNL7dAhAFJD2YOpFHtEz5xr5TGzPrdWnrD1vnJJ9mKYv7/J3qZEzwb
jaRuusFLVcw=
=j3Hq
-----END PGP SIGNATURE-----
|