On 01/05/2024 16.14, Bastien Roucariès wrote:
Dear Maintainer,
unfortunately sendmail is orphaned ...
CVE-2023-51765 is not fully fixed at least for forwarding bad mail.
We must reject NUL including mail as a stop gap method.
I have patched sendmail in order to enable O RejectNUL=True directive,
but I do not achieved the fact to enable it by default.
It will need a NEWS.debian entry I suppose
Andreas could you get a glimpse at how to render RejectNUL a default ?
I would probably attempt something like the attached patch. That should
at least work for new installations. I have no idea how this would work
on upgrades.
Do we need something like this in submit.mc, too?
We could (probably) also enable it from
debian/cf/domain/debian-mta.m4.in etc., that should also enable the
feature automatically on upgrades. But then we would need some way to
opt-out by defining something in sendmail.mc ...
Or we could toggle the default:
--- a/sendmail/collect.c
+++ b/sendmail/collect.c
@@ -406,7 +406,7 @@ collect(fp, smtpmode, hdrp, e, rsetsize)
numhdrs = 0;
HasEightBits = false;
#if _FFR_REJECT_NUL_BYTE
- hasNUL = false;
+ hasNUL = true;
#endif
buf = bp = bufbuf;
buflen = sizeof(bufbuf);
and use '''
LOCAL_CONFIG
O RejectNUL=false
''' as the opt-out in sendmail.mc
What I don't like about this approach is that we deviate from upstream
default behavior with unchanged sendmail.cf.
Andreas
PS: It's nerly 20 years since I had sendmail running somewhere...
PPS: Marco has asked whether we could build sendmail with -DDANE to
enable DANE support in the binary. This should be a runtime no-op unless
dane gets enabled in sendmail.{mc,cf}. Do you have any concerns about
this from the security side?From ade1a2cac3892eedc07a5f2e47db2213950d0d6b Mon Sep 17 00:00:00 2001
From: Andreas Beckmann <a...@debian.org>
Date: Sat, 4 May 2024 10:31:04 +0200
Subject: [PATCH] enable 'O RejectNUL=true' in the default sendmail.cf
---
debian/cf/debian/sendmail.mc.in | 3 +++
debian/cf/feature/rejectnul.m4 | 3 +++
2 files changed, 6 insertions(+)
create mode 100644 debian/cf/feature/rejectnul.m4
diff --git a/debian/cf/debian/sendmail.mc.in b/debian/cf/debian/sendmail.mc.in
index dc363e6..b15e84f 100644
--- a/debian/cf/debian/sendmail.mc.in
+++ b/debian/cf/debian/sendmail.mc.in
@@ -74,6 +74,9 @@ dnl #
dnl # The access db is the basis for most of sendmail's checking
FEATURE(`access_db', , `skip')dnl
dnl #
+dnl # Reject NUL bytes in body
+FEATURE(`rejectnul')dnl
+dnl #
dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts...
FEATURE(`greet_pause', `1000')dnl 1 seconds
diff --git a/debian/cf/feature/rejectnul.m4 b/debian/cf/feature/rejectnul.m4
new file mode 100644
index 0000000..7b8fd4b
--- /dev/null
+++ b/debian/cf/feature/rejectnul.m4
@@ -0,0 +1,3 @@
+VERSIONID(`$Id: rejectnul.m4,v 1.0 2024-05-04 10:39:24 anbe Exp $')
+LOCAL_CONFIG
+O RejectNUL=true
--
2.20.1
