Bug 1102174 (CVE-2014-3956)

Summary: CVE-2014-3956 sendmail: Properly set the close-on-exec flag for file descriptors
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkurik, jskarvad, pasteur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sendmail-8.14.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-21 12:04:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1104553    
Bug Blocks: 1102177    
Attachments:
Description Flags
patch generated from diff of 8.14.8 to 8.14.9 none

Description Vasyl Kaigorodov 2014-05-28 14:42:13 UTC 
Upstream released version 8.14.9 of sendmail [1] which fixes one security related bug by properly closing file descriptors (except stdin, stdout, and stderr) before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer).

[1]: http://www.sendmail.com/sm/open_source/download/8.14.9/?show_rs=1
Comment 1 Vincent Danen 2014-05-30 14:01:26 UTC 
Created attachment 900848 [details]
patch generated from diff of 8.14.8 to 8.14.9

I can't find a CVS repository for sendmail, so this was generated by manually diffing and removing everything that was obviously not related.  This seems to be the required patch.
Comment 2 Jaroslav Škarvada 2014-06-02 12:10:06 UTC 
Thanks for the diff.

Will you open Fedora / RHEL bugs?

Several places were already covered by selinux, that's the purpose of e.g. milterfdleaks patch, which now seems to be obsoleted.
Comment 3 Murray McAllister 2014-06-03 06:31:46 UTC 
CVE request: http://seclists.org/oss-sec/2014/q2/400
Comment 4 Murray McAllister 2014-06-04 08:24:57 UTC 
MITRE assigned CVE-2014-3956 to this issue:

http://seclists.org/oss-sec/2014/q2/426
Comment 5 Murray McAllister 2014-06-04 08:26:47 UTC 
Created sendmail tracking bugs for this issue:

Affects: fedora-all [bug 1104553]
Comment 6 Fedora Update System 2014-06-13 05:31:49 UTC 
sendmail-8.14.8-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-06-19 23:00:39 UTC 
sendmail-8.14.7-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Martin Prpič 2014-11-21 12:04:50 UTC 
Statement:

This issue affects the versions of sendmail as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.