-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2003-009 ================================= Topic: sendmail buffer overrun in prescan() address parser Version: NetBSD-current: source prior to Mar 30, 2003 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected pkgsrc: prior to sendmail-8.12.9 Severity: Remote root compromise Fixed: NetBSD-current: March 30, 2003 NetBSD-1.6 branch: March 30, 2003 (1.6.1 will include the fix) NetBSD-1.5 branch: April 1, 2003 pkgsrc: sendmail-8.12.9 corrects this issue Abstract ======== - From the CERT advisory: There is a remotely exploitable vulnerability in sendmail that could allow an attacker to gain control of a vulnerable sendmail server. Address parsing code in sendmail does not adequately check the length of email addresses. An email message with a specially crafted address could trigger a stack overflow. This vulnerability was discovered by Michal Zalewski. This vulnerability is different than the one described in CA-2003-07. It is a different vulnerability than NetBSD SA2003-002. Technical Details ================= http://www.cert.org/advisories/CA-2003-12.html Solutions and Workarounds ========================= We advise sites running sendmail to upgrade as soon as possible. If upgrading is impossible at this time, we recommend you turn off the sendmail service. To determine if sendmail is running on your system, issue the command: # /etc/rc.d/sendmail status To stop currently running sendmail processes, issue the command: # /etc/rc.d/sendmail stop To ensure sendmail does not start after the next reboot, issue the command: # echo "sendmail=NO" >>/etc/rc.conf.d/sendmail To allow sendmail to start once upgraded, remove the sendmail=NO line from the end of /etc/rc.conf.d/sendmail. Binary patch instructions are included in the NetBSD-1.6 section below. The following instructions describe how to upgrade your sendmail binaries by updating your source tree and rebuilding and installing a new version of sendmail. * NetBSD-current: Systems running NetBSD-current dated from before 2003-03-30 should be upgraded to NetBSD-current dated 2003-03-31 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): gnu/dist/sendmail/sendmail To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P gnu/dist/sendmail/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6: The binary distribution of NetBSD 1.6 is vulnerable. Systems running NetBSD 1.6 sources dated from before 2003-03-30 should be upgraded from NetBSD 1.6 sources dated 2003-03-31 or later. NetBSD 1.6.1 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: gnu/dist/sendmail/sendmail To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r netbsd-1-6 gnu/dist/sendmail/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * Binary patch: To apply the binary patch, perform the following steps, replacing ARCH with the NetBSD architecture you are running (i.e. i386): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-009-sendmail/netbsd-1-6/ARCH-sendmail.tgz cd / && tar xzvpf /path/to/ARCH-sendmail.tgz The tar file will extract a new copy of /usr/libexec/sendmail/sendmail, overwriting the vulnerable binary. * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: The binary distribution of NetBSD 1.5.3 is vulnerable. Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2003-04-01 should be upgraded from NetBSD 1.5.* sources dated 2003-04-02 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: gnu/dist/sendmail/sendmail To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r netbsd-1-5 gnu/dist/sendmail/sendmail # cd gnu/usr.sbin/sendmail # make cleandir dependall # make install Thanks To ========= Michal Zalewski and CERT for notification. Andrew Brown for patches. Revision History ================ 2003-04-04 Initial release 2003-04-06 Add binary patch 2003-04-07 Correct binary patch path - add 'p' flag for tar More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2003-009.txt,v 1.5 2003/04/08 02:15:17 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPpIw6T5Ru2/4N2IFAQEYGAQAn5Rg6mqNoOiUHu1sNf6m1K7vHPKeW7ts s7UerSDroXoPo2NcP/P0gXGBSd58UJo9coLo2JXiFjKKerElkA2k03A4QjwXH7dy Wzfpjs5yLVhrxL5mbQQZbJyJ6/wNldPbk9Kw87FJ9jZLJQ+FwmiBXb72JmbQ5RE3 EdgK6FLZldU= =JG/+ -----END PGP SIGNATURE-----