Bugzilla – Bug 46179
VUL-0: CVE-2003-0694: sendmail 8.12.9: prescan buffer overflow
Last modified: 2021-09-28 09:52:45 UTC
---------- Forwarded message ---------- Date: Wed, 17 Sep 2003 11:19:46 +0200 (CEST) From: Michal Zalewski <lcamtuf@dione.ids.pl> To: bugtraq@securityfocus.com, vulnwatch@securityfocus.com, full-disclosure@netsys.com Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694] Hello lists, -------- Overview -------- There seems to be a remotely exploitable vulnerability in Sendmail up to and including the latest version, 8.12.9. The problem lies in prescan() function, but is not related to previous issues with this code. The primary attack vector is an indirect invocation via parseaddr(), although other routes are possible. Heap or stack structures, depending on the calling location, can be overwritten due to the ability to go past end of the input buffer in strtok()-alike routines. This is an early release, thanks to my sheer stupidity.
<!-- SBZ_reproduce --> -
Index: parseaddr.c =================================================================== RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v retrieving revision 1.16 diff -u -r1.16 parseaddr.c --- parseaddr.c 29 Mar 2003 19:44:01 -0000 1.16 +++ parseaddr.c 16 Sep 2003 17:37:26 -0000 @@ -700,7 +700,11 @@ addr[MAXNAME] = '\0'; returnnull: if (delimptr != NULL) + { + if (p > addr) + p--; *delimptr = p; + } CurEnv->e_to = saveto; return NULL; }
Already fixed in STABEL others are in progress
Created attachment 14317 [details] patchinfo.sendmail
Created attachment 14318 [details] putonftp-8.2.sendmail
Question: AFAIK (as Chris told me) we do not support 7.0-server/7.0-s390 (aka sles7-i386,sles7-ia64,sles7-ppc,7.2-s390,sles7-s390x) IS this correct?
7.0-server/7.0-s390 is NOT sles7*!!! or 7.2-s390 (== sles7-s390) 7.0-server is: hmuelle@armstrong /work/cd/data/maintained-CDs/ 1127 > grep "7.0-server" * hmuelle@armstrong /work/cd/data/maintained-CDs/ 1128 > cd SAVE/ hmuelle@armstrong /work/cd/data/maintained-CDs/SAVE/ 1129 > grep "7.0-server" * basis-db2.i386:Distribution: 7.0-server-i386 email-server-II.i386:Distribution: 7.0-server-i386 firewall-live.i386:Distribution: 7.0-server-i386
OK ... on what distri is sles7 based?
CAN-2003-0694
werner/sendmail> ll -G /work/src/done/*/sendmail/putonftp -rw-r--r-- 1 werner 351 Sep 17 16:59 /work/src/done/7.2/sendmail/putonftp -rw-r--r-- 1 werner 351 Sep 17 17:00 /work/src/done/7.3/sendmail/putonftp -rw-r--r-- 1 werner 351 Sep 17 16:54 /work/src/done/8.0/sendmail/putonftp -rw-r--r-- 1 werner 351 Sep 17 16:52 /work/src/done/8.1/sendmail/putonftp -rw-r--r-- 1 werner 350 Sep 17 16:48 /work/src/done/8.2/sendmail/putonftp -rw-r--r-- 1 werner 351 Sep 17 16:52 /work/src/done/SLES8/sendmail/putonftp -rw-r--r-- 1 werner 351 Sep 17 16:52 /work/src/done/UL1/sendmail/putonftp
Ok we need new packages due to additional patches.
old packages rejected, werner submitted packages 8.0-8.2, need patches for older sendmail versions... working on it.
Ok, I think we can ignore the maxatom thing and just patch the remotely exploitable bug for the 8.11.x version. To add the patch we have to rewrite the rewrite() function and it's not worth the effort. So, 7.2 - 7.3 are ready to go. :)
*** Bug 46396 has been marked as a duplicate of this bug. ***
Can we close this bug for 9.0?
no approval from QA yet....
I don't consider this a blocker. It's not a default package.
Advisory released --> close bug
CVE-2003-0694: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)