From security-officer@NetBSD.org Thu Oct 9 16:36:23 2003 From: NetBSD Security Officer To: bugtraq@securityfocus.com Date: Thu, 9 Oct 2003 15:34:25 -0400 Subject: NetBSD Security Advisory 2003-016: Sendmail - another prescan() bug CAN-2003-0694 -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2003-016 ================================= Topic: Sendmail - another prescan() bug CAN-2003-0694 Version: NetBSD-current: source prior to September 18, 2003 NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected pkgsrc: sendmail packages prior to 8.12.10 Severity: Remote exploit Fixed: NetBSD-current: September 18, 2003 NetBSD-1.6 branch: September 18, 2003 (1.6.2 will include the fix) NetBSD-1.5 branch: September 19, 2003 pkgsrc: sendmail-8.12.10 corrects this issue Abstract ======== - From sendmail 8.12.10 release notes (http://www.sendmail.org/8.12.10.html): SECURITY: Fix a buffer overflow in address parsing. Problem detected by Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting. Sendmail does not run by default on NetBSD installations. Sendmail does not run as root when enabled on modern NetBSD installations. However, a remote exploit of the sendmail (smmsp - Sendmail Message Submission Program) uid could lead to opportunities to apply local exploits to further elevate privileges. Technical Details ================= http://www.sendmail.org/8.12.10.html http://www.cert.org/advisories/CA-2003-25.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694 Solutions and Workarounds ========================= NetBSD releases since 1.5 have included the option of using the Postfix mail system as an alternative to sendmail. For simple site configurations, switching between sendmail and Postfix is relatively easy, and provides a workaround to any sendmail security issues. An upgrade of the sendmail daemon is required to address this problem. If you have a running instance of sendmail on your system, it must be restarted once the installed binary is updated. The following version string identifies a patched version; if you have one of these versions, your system is already safe. NetBSD-current: 8.12.9p1 NetBSD-1.6.x: 8.11.6p3 NetBSD-1.5.x: 8.11.6p3 The following instructions describe how to upgrade your sendmail binaries by updating your source tree and rebuilding and installing a new version of sendmail. * NetBSD-current: Systems running NetBSD-current dated from before 2003-09-17 should be upgraded to NetBSD-current dated 2003-09-18 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/gnu/dist/sendmail/sendmail/parseaddr.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P gnu/dist/sendmail/sendmail/parseaddr.c # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6, 1.6.1: The binary distribution of NetBSD 1.6 and 1.6.1 are vulnerable. Systems running NetBSD 1.6 sources dated from before 2003-09-17 should be upgraded from NetBSD 1.6 sources dated 2003-09-18 or later. NetBSD 1.6.2 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: src/gnu/dist/sendmail/sendmail/parseaddr.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r netbsd-1-6 \ gnu/dist/sendmail/sendmail/parseaddr.c # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable. Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2003-09-18 should be upgraded from NetBSD 1.5.* sources dated 2003-09-19 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: src/gnu/dist/sendmail/sendmail/parseaddr.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r netbsd-1-5 \ gnu/dist/sendmail/sendmail/parseaddr.c # cd gnu/usr.sbin/sendmail # make cleandir dependall # make install Thanks To ========= Andrew Brown, and CERT Revision History ================ 2003-10-09 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-016.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2003-016.txt,v 1.5 2003/10/09 17:49:45 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBP4Wglj5Ru2/4N2IFAQGuBAQAvo0ZvMMrKHz4y1vbpsp7wV8Q3pHSbcv6 rNWvYJpIM1nZBxLYttHSm472bSeRKytPqtLTAvbE4zkYfNnXN/baZ7w9GUFIkwrs BMtd6gRgQzPEyUN0zHc/qpcdUqVvU6YJB9DouEkjRy/96hUliMJzOOr7oBUjabOV 2osagUWDgzM= =S6is -----END PGP SIGNATURE-----