-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You know there have been far to many sendmail exploits when you get to the end of reading one and your first thought is "at least It wasnt a remote root"
On August 26, 2003 01:43 pm, FreeBSD Security Advisories wrote: > =========================================================================== >== FreeBSD-SA-03:11.sendmail Security > Advisory The FreeBSD Project > > Topic: sendmail DNS map problem > > Category: contrib > Module: contrib_sendmail > Announced: 2003-08-26 > Credits: Oleg Bulyzhin <[EMAIL PROTECTED]> > Affects: 4.6-RELEASE (up to -p16), 4.7-RELEASE (up to -p13), > 4.8-RELEASE (up to -p3), 5.0-RELEASE (up to -p11) > 4-STABLE prior to Mar 29 19:33:18 2003 UTC > Corrected: 2003-08-25 22:33:14 UTC (RELENG_5_0) > 2003-08-25 22:35:23 UTC (RELENG_4_8) > 2003-08-25 22:36:10 UTC (RELENG_4_7) > 2003-08-25 22:38:53 UTC (RELENG_4_6) > FreeBSD only: NO > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit > <URL:http://www.freebsd.org/security/>. > > I. Background > > FreeBSD includes sendmail(8), a general purpose internetwork mail > routing facility, as the default Mail Transfer Agent (MTA). > > II. Problem Description > > Some versions of sendmail (8.12.0 through 8.12.8) contain a > programming error in the code that implements DNS maps. A malformed > DNS reply packet may cause sendmail to call `free()' on an > uninitialized pointer. > > NOTE: The default sendmail configuration in FreeBSD does not utilize > DNS maps. > > III. Impact > > Calling `free()' on an uninitialized pointer may result in a sendmail > child process crashing. It may also be possible for an attacker to > somehow influence the value of the `uninitialized pointer' and cause > an arbitrary memory trunk to be freed. This could further lead to > some other exploitable vulnerability, although no such cases are known > at this time. > > IV. Workaround > > Do not use DNS maps. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to 4-STABLE, 5.1-RELEASE, or to the > RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the > correction date (5.1-RELEASE-p11, 4.8-RELEASE-p4, or 4.7-RELEASE-p14, > respectively). > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 5.0, 4.8, > 4.7, and 4.6 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:11/sendmail.patch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:11/sendmail.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libsm > # make obj && make depend && make > # cd /usr/src/lib/libsmutil > # make obj && make depend && make > # cd /usr/src/usr.sbin/sendmail > # make obj && make depend && make && make install > > c) Restart sendmail. Execute the following command as root. > > # /bin/sh /etc/rc.sendmail restart > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Path Revision > Branch > ------------------------------------------------------------------------- > src/UPDATING > RELENG_5_0 1.229.2.17 > RELENG_4_8 1.73.2.80.2.6 > RELENG_4_7 1.73.2.74.2.17 > RELENG_4_6 1.73.2.68.2.45 > src/sys/conf/newvers.sh > RELENG_5_0 1.48.2.12 > RELENG_4_8 1.44.2.29.2.5 > RELENG_4_7 1.44.2.26.2.16 > RELENG_4_6 1.44.2.23.2.34 > src/contrib/sendmail/src/sm_resolve.c > RELENG_5_0 1.1.1.4.2.1 > RELENG_4_8 1.1.1.1.2.2.4.1 > RELENG_4_7 1.1.1.1.2.2.2.1 > RELENG_4_6 1.1.1.1.2.1.2.2 > ------------------------------------------------------------------------- > > VII. References > > <URL:http://www.sendmail.org/dnsmap1.html> > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0688> > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html - -- - - ****************************************************************************** Stephen Clowater /earth: file system full. The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? /dev/null:/dev/random); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom"); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=/dev/urandom of=/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/TGTacyHa6bMWAzYRAtmPAJ9fIT+6lvJqIxXh2YZXRhTYQO2fBQCgt2LJ xTPEUJGtjgz9tcg1fJmjd7s= =tgA2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
