COMMAND
sendmail
SYSTEMS AFFECTED
Systems running sendmail 8.8.3, 8.8.4
PROBLEM
This release fixes a nasty security bug that allows an external
attacker to get root privileges. This problem appeared in 8.8.3.
It is essential that you upgrade ASAP if you are running 8.8.3 or
8.8.4.
The following information was brought to public by Aleph One.
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
+ 8.8.5/8.8.5 97/01/21
+ SECURITY: Clear out group list during startup. Without this, sendmail
+ will continue to run with the group permissions of the caller,
+ even if RunAsUser is specified.
+ SECURITY: Make purgestat (-bH) be root-only. This is not in response
+ to any known attack, but it's best to be conservative.
+ Suggested by Peter Wemm of DIALix.
+ SECURITY: Fix buffer overrun problem in MIME code that has possible
+ security implications. Patch from Alex Garthwaite of the
+ University of Pennsylvania.
diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c
*** sendmail-8.8.4/src/mime.c Sun Nov 24 07:27:26 1996
--- sendmail-8.8.5/src/mime.c Tue Jan 14 17:21:22 1997
***************
*** 36,42 ****
# include <string.h>
#ifndef lint
! static char sccsid[] = "@(#)mime.c 8.51 (Berkeley) 11/24/96";
#endif /* not lint */
/*
--- 36,42 ----
# include <string.h>
#ifndef lint
! static char sccsid[] = "@(#)mime.c 8.54 (Berkeley) 1/14/97";
#endif /* not lint */
/*
***************
*** 958,967 ****
register char *p;
char *cte;
char **pvp;
- u_char *obp;
u_char *fbufp;
char buf[MAXLINE];
- u_char obuf[MAXLINE + 1];
u_char fbuf[MAXLINE + 1];
char pvpbuf[MAXLINE];
extern u_char MimeTokenTab[256];
--- 958,965 ----
***************
*** 1045,1053 ****
c2 = CHAR64(c2);
*fbufp = (c1 << 2) | ((c2 & 0x30) >> 4);
! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
{
! if (*--fbufp != '\n' || *--fbufp != '\r')
fbufp++;
*fbufp = '\0';
putline((char *) fbuf, mci);
--- 1043,1052 ----
c2 = CHAR64(c2);
*fbufp = (c1 << 2) | ((c2 & 0x30) >> 4);
! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
{
! if (*--fbufp != '\n' ||
! (fbufp > fbuf && *--fbufp != '\r'))
fbufp++;
*fbufp = '\0';
putline((char *) fbuf, mci);
***************
*** 1057,1065 ****
continue;
c3 = CHAR64(c3);
*fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
{
! if (*--fbufp != '\n' || *--fbufp != '\r')
fbufp++;
*fbufp = '\0';
putline((char *) fbuf, mci);
--- 1056,1065 ----
continue;
c3 = CHAR64(c3);
*fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
{
! if (*--fbufp != '\n' ||
! (fbufp > fbuf && *--fbufp != '\r'))
fbufp++;
*fbufp = '\0';
putline((char *) fbuf, mci);
***************
*** 1069,1103 ****
continue;
c4 = CHAR64(c4);
*fbufp = ((c3 & 0x03) << 6) | c4;
! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
{
! if (*--fbufp != '\n' || *--fbufp != '\r')
fbufp++;
*fbufp = '\0';
putline((char *) fbuf, mci);
fbufp = fbuf;
}
}
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- *fbufp = '\0';
- putline((char *) fbuf, mci);
- }
}
else
{
/* quoted-printable */
! obp = obuf;
while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
{
! if (mime_fromqp((u_char *) buf, &obp, 0, &obuf[MAXLINE] - obp) == 0)
continue;
! putline((char *) obuf, mci);
! obp = obuf;
}
}
if (tTd(43, 3))
printf("\t\t\tmime7to8 => %s to 8bit done\n", cte);
--- 1069,1105 ----
continue;
c4 = CHAR64(c4);
*fbufp = ((c3 & 0x03) << 6) | c4;
! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
{
! if (*--fbufp != '\n' ||
! (fbufp > fbuf && *--fbufp != '\r'))
fbufp++;
*fbufp = '\0';
putline((char *) fbuf, mci);
fbufp = fbuf;
}
}
}
else
{
/* quoted-printable */
! fbufp = fbuf;
while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
{
! if (mime_fromqp((u_char *) buf, &fbufp, 0,
! &fbuf[MAXLINE] - fbufp) == 0)
continue;
! putline((char *) fbuf, mci);
! fbufp = fbuf;
}
+ }
+
+ /* force out partial last line */
+ if (fbufp > fbuf)
+ {
+ *fbufp = '\0';
+ putline((char *) fbuf, mci);
}
if (tTd(43, 3))
printf("\t\t\tmime7to8 => %s to 8bit done\n", cte);
SOLUTION
If you cannot upgrade immediately, turn off the F=9 flag on the
local and prog mailers. You can do this by editing the
/etc/sendmail.cf file and look for the lines beginning Mlocal and
Mprog. Find the field beginning "F=" and delete the digit "9"
from the following string. Then restart the sendmail daemon.
If your configuration file does not include the F=9 flag, then
you are not vulnerable.