枫林在线论坛精华区>>信息安全
[101527] 主题: FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail
作者: guaiguai520. (guaiguai520.)
标题: FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail[转载]
来自: 202.112.*.*
发贴时间: 2003年09月18日 09:17:47
长度: 7653字
发信人:guaiguai520@smth.org (乖乖),信区:cn.bbs.comp.security
标  题:FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail
发信站:BBS 水木清华站
转信站:LeafOK!news.zixia.net!maily.cic.tsinghua.edu.cn!SMTH


----- Original Message ----- 
From: "FreeBSD Security Advisories" <security-advis
ories@freebsd.org>
To: "Bugtraq" <bugtraq@securityfocus.com>
Sent: Thursday, September 18, 2003 6:38 AM
Subject: FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================================
=========
====
FreeBSD-SA-03:13.sendmail                                   Secu
rity Advisory

                                                          The Fr
eeBSD Project


Topic:          a third sendmail header parsing buffer overflow


Category:       contrib

Module:         contrib_sendmail
Announced:      2003-09-17
Credits:        Michal Zalewski <lcamtuf@dione.ids.pl>
                Todd C. Miller <Todd.Miller@courtesan.com>

Affects:        All releases of FreeBSD
                FreeBSD 4-STABLE prior to the correction date
Corrected:      2003-09-17 15:18:20 UTC (RELENG_4, 4.9-PRERELEAS
E)
                2003-09-17 20:19:00 UTC (RELENG_5_1, 5.1-RELEASE
-p5)
                2003-09-17 20:19:22 UTC (RELENG_5_0, 5.0-RELEASE
-p14)
                2003-09-17 20:19:52 UTC (RELENG_4_8, 4.8-RELEASE
-p7)
                2003-09-17 20:20:08 UTC (RELENG_4_7, 4.7-RELEASE
-p17)
                2003-09-17 20:20:31 UTC (RELENG_4_6, 4.6-RELEASE
-p20)
                2003-09-17 20:20:54 UTC (RELENG_4_5, 4.5-RELEASE
-p32)
                2003-09-17 20:21:15 UTC (RELENG_4_4, 4.4-RELEASE
-p42)
                2003-09-17 20:21:40 UTC (RELENG_4_3, 4.3-RELEASE
-p38)
                2003-09-17 20:22:03 UTC (RELENG_3)
FreeBSD only:   NO

I.   Background

FreeBSD includes sendmail(8), a general purpose internetwork mai
l
routing facility, as the default Mail Transfer Agent (MTA).

II.  Problem Description

A buffer overflow that may occur during header parsing was ident
ified.

NOTE WELL:  This issue is distinct from the issue described in
`FreeBSD-SA-03:04.sendmail' and `FreeBSD-SA-03:07.sendmail', alt
hough
the impact is very similar.

III. Impact

An attacker could create a specially crafted message that may ca
use
sendmail to execute arbitrary code with the privileges of the us
er
running sendmail, typically root.  The malicious message might b
e
handled (and the vulnerability triggered) by the initial sendmai
l MTA,
by any relaying sendmail MTA, or by the delivering sendmail proc
ess.

IV.  Workaround

Disable sendmail by executing the following commands as root:

  # sh /etc/rc.sendmail stop
  # chmod 0 /usr/libexec/sendmail/sendmail

Be sure that sendmail is not restarted when the system is restar
ted
by adding the following line to the end of /etc/rc.conf:

  sendmail_enable="NO"
  sendmail_submit_enable="NO"
  sendmail_outbound_enable="NO"

V.   Solution

Do one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_
5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after the correc
tion
date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 5.1, 4
.8,
and 4.7 systems.

a) Download the relevant patch from the location below, and veri
fy the
detached PGP signature using your PGP utility.

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail
.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail
.patch.asc


b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libsm
# make obj && make depend && make
# cd /usr/src/lib/libsmutil
# make obj && make depend && make
# cd /usr/src/usr.sbin/sendmail
# make obj && make depend && make && mak
e install

c) Restart sendmail.  Execute the following command as root.

# /bin/sh /etc/rc.sendmail restart

VI.  Correction details

The following list contains the revision numbers of each file th
at was
corrected in FreeBSD.

Branch                                                          
 Revision

  Path
- --------------------------------------------------------------
---------
--
RELENG_4
  src/contrib/sendmail/src/parseaddr.c                       1.1
.1.2.6.14

RELENG_5_1
  src/UPDATING                                                  
1.251.2.6

  src/contrib/sendmail/src/parseaddr.c                       1.1
.1.17.2.1

  src/contrib/sendmail/src/version.c                         1.1
.1.19.2.1

  src/sys/conf/newvers.sh                                       
 1.50.2.7

RELENG_5_0

  src/UPDATING                                                 1
.229.2.20

  src/contrib/sendmail/src/parseaddr.c                       1.1
.1.14.2.3

  src/contrib/sendmail/src/version.c                         1.1
.1.16.2.2

  src/sys/conf/newvers.sh                                       
1.48.2.15

RELENG_4_8
  src/UPDATING                                              1.73
.2.80.2.9

  src/contrib/sendmail/src/parseaddr.c                   1.1.1.2
.6.12.2.2

  src/contrib/sendmail/src/version.c                     1.1.1.3
.2.14.2.2

  src/sys/conf/newvers.sh                                   1.44
.2.29.2.8

RELENG_4_7
  src/UPDATING                                             1.73.
2.74.2.20

  src/contrib/sendmail/src/parseaddr.c                   1.1.1.2
.6.10.2.3

  src/contrib/sendmail/src/version.c                     1.1.1.3
.2.12.2.2

  src/sys/conf/newvers.sh                                  1.44.
2.26.2.19

RELENG_4_6
  src/UPDATING                                             1.73.
2.68.2.48


  src/contrib/sendmail/src/parseaddr.c                    1.1.1.
2.6.8.2.3

  src/contrib/sendmail/src/version.c                      1.1.1.
3.2.9.2.2

  src/sys/conf/newvers.sh                                  1.44.
2.23.2.37

RELENG_4_5
  src/UPDATING                                             1.73.
2.50.2.49

  src/contrib/sendmail/src/parseaddr.c                    1.1.1.
2.6.6.4.3

  src/contrib/sendmail/src/version.c                      1.1.1.
3.2.7.4.2

  src/sys/conf/newvers.sh                                  1.44.
2.20.2.33

RELENG_4_4
  src/UPDATING                                             1.73.
2.43.2.50

  src/contrib/sendmail/src/parseaddr.c                    1.1.1.
2.6.6.2.3

  src/contrib/sendmail/src/version.c                      1.1.1.
3.2.7.2.2

  src/sys/conf/newvers.sh                                  1.44.
2.17.2.41

RELENG_4_3
  src/UPDATING                                             1.73.
2.28.2.37

  src/contrib/sendmail/src/parseaddr.c                    1.1.1.
2.6.4.2.3


  src/contrib/sendmail/src/version.c                      1.1.1.
3.2.4.2.2

  src/sys/conf/newvers.sh                                  1.44.
2.14.2.27

RELENG_3
  src/contrib/sendmail/src/parseaddr.c                        1.
1.1.2.2.3

  src/contrib/sendmail/src/version.c                          1.
1.1.2.2.3

- --------------------------------------------------------------
---------
--

VII. References

<URL: http://lists.netsys.com/pipermail/full-disclosure/2003-
September/010287
.html >
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-
0694 >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/aOHgFdaIBMps37IRAl09AKCVMKQCzC62EF7vZFnsZVoaGWpIMACfVGq0

0df1GogdqBVYUXzNBdHrwYA=
=4xqj
-----END PGP SIGNATURE-----

--
输了你我输了全部


※ 来源:·BBS 水木清华站 smth.org·[FROM: 210.43.181.10]


========== * * * * * ==========
返回