Bug 46179 (CVE-2003-0694)

Summary: VUL-0: CVE-2003-0694: sendmail 8.12.9: prescan buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: dmueller, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0694: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo.sendmail
putonftp-8.2.sendmail

Description Thomas Biege 2003-09-17 22:27:02 UTC 
---------- Forwarded message ---------- 
Date: Wed, 17 Sep 2003 11:19:46 +0200 (CEST) 
From: Michal Zalewski <lcamtuf@dione.ids.pl> 
To: bugtraq@securityfocus.com, vulnwatch@securityfocus.com, 
     full-disclosure@netsys.com 
Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) 
    [CAN-2003-0694] 
 
Hello lists, 
 
-------- 
Overview 
-------- 
 
  There seems to be a remotely exploitable vulnerability in Sendmail up to 
  and including the latest version, 8.12.9. The problem lies in prescan() 
  function, but is not related to previous issues with this code. 
 
  The primary attack vector is an indirect invocation via parseaddr(), 
  although other routes are possible. Heap or stack structures, depending 
  on the calling location, can be overwritten due to the ability to go 
  past end of the input buffer in strtok()-alike routines. 
 
  This is an early release, thanks to my sheer stupidity.
Comment 1 Thomas Biege 2003-09-17 22:27:02 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2003-09-17 22:27:20 UTC 
Index: parseaddr.c 
=================================================================== 
RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v 
retrieving revision 1.16 
diff -u -r1.16 parseaddr.c 
--- parseaddr.c 29 Mar 2003 19:44:01 -0000      1.16 
+++ parseaddr.c 16 Sep 2003 17:37:26 -0000 
@@ -700,7 +700,11 @@ 
                                                addr[MAXNAME] = '\0'; 
        returnnull: 
                                        if (delimptr != NULL) 
+                                       { 
+                                               if (p > addr) 
+                                                       p--; 
                                                *delimptr = p; 
+                                       } 
                                        CurEnv->e_to = saveto; 
                                        return NULL; 
                                }
Comment 3 Dr. Werner Fink 2003-09-17 22:36:40 UTC 
Already fixed in STABEL others are in progress
Comment 4 Thomas Biege 2003-09-17 22:40:17 UTC 
Created attachment 14317 [details]
patchinfo.sendmail
Comment 5 Thomas Biege 2003-09-17 22:40:40 UTC 
Created attachment 14318 [details]
putonftp-8.2.sendmail
Comment 6 Dr. Werner Fink 2003-09-17 23:04:15 UTC 
Question: AFAIK (as Chris told me) we do not support 7.0-server/7.0-s390
(aka sles7-i386,sles7-ia64,sles7-ppc,7.2-s390,sles7-s390x)

IS this correct?
Comment 7 Harald Mueller-Ney 2003-09-17 23:11:25 UTC 
7.0-server/7.0-s390 is NOT sles7*!!! or 7.2-s390 (== sles7-s390)

7.0-server is:

hmuelle@armstrong /work/cd/data/maintained-CDs/ 1127 > grep "7.0-server" * 
hmuelle@armstrong /work/cd/data/maintained-CDs/ 1128 > cd SAVE/
hmuelle@armstrong /work/cd/data/maintained-CDs/SAVE/ 1129 > grep "7.0-server" *
basis-db2.i386:Distribution: 7.0-server-i386
email-server-II.i386:Distribution: 7.0-server-i386
firewall-live.i386:Distribution: 7.0-server-i386
Comment 8 Dr. Werner Fink 2003-09-17 23:12:39 UTC 
OK ... on what distri is sles7 based?
Comment 9 Thomas Biege 2003-09-17 23:32:56 UTC 
CAN-2003-0694
Comment 10 Dr. Werner Fink 2003-09-17 23:51:06 UTC 
werner/sendmail> ll -G /work/src/done/*/sendmail/putonftp
-rw-r--r--   1 werner        351 Sep 17 16:59 /work/src/done/7.2/sendmail/putonftp
-rw-r--r--   1 werner        351 Sep 17 17:00 /work/src/done/7.3/sendmail/putonftp
-rw-r--r--   1 werner        351 Sep 17 16:54 /work/src/done/8.0/sendmail/putonftp
-rw-r--r--   1 werner        351 Sep 17 16:52 /work/src/done/8.1/sendmail/putonftp
-rw-r--r--   1 werner        350 Sep 17 16:48 /work/src/done/8.2/sendmail/putonftp
-rw-r--r--   1 werner        351 Sep 17 16:52 /work/src/done/SLES8/sendmail/putonftp
-rw-r--r--   1 werner        351 Sep 17 16:52 /work/src/done/UL1/sendmail/putonftp
Comment 11 Thomas Biege 2003-09-18 19:07:22 UTC 
Ok we need new packages due to additional patches.
Comment 12 Thomas Biege 2003-09-18 20:26:48 UTC 
old packages rejected, werner submitted packages 8.0-8.2, need patches for older 
sendmail versions... working on it.
Comment 13 Thomas Biege 2003-09-18 22:06:06 UTC 
Ok, I think we can ignore the maxatom thing and just patch the remotely exploitable 
bug for the 8.11.x version. To add the patch we have to rewrite the rewrite() function 
and it's not worth the effort. 
 
So, 7.2 - 7.3 are ready to go. :)
Comment 14 Thomas Biege 2003-09-19 21:06:58 UTC 
*** Bug 46396 has been marked as a duplicate of this bug. ***
Comment 15 Chris Schlaeger 2003-09-19 22:44:42 UTC 
Can we close this bug for 9.0?
Comment 16 Thomas Biege 2003-09-19 22:47:19 UTC 
no approval from QA yet....
Comment 17 Chris Schlaeger 2003-09-20 17:35:46 UTC 
I don't consider this a blocker. It's not a default package.
Comment 18 Thomas Biege 2003-09-22 20:45:03 UTC 
Advisory released --> close bug
Comment 19 Thomas Biege 2009-10-13 19:39:01 UTC 
CVE-2003-0694: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)