Bug 184465
Summary: | CVE-2006-0058 Sendmail race condition issue | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Josh Bressers <bressers> | ||||
Component: | sendmail | Assignee: | Thomas Woerner <twoerner> | ||||
Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.0 | CC: | security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | source=cert,reported=20060308,embargo=20060322,impact=critical | ||||||
Fixed In Version: | RHSA-2006-0264 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-03-22 16:09:10 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Josh Bressers
2006-03-08 23:09:43 UTC
Created attachment 125842 [details]
Proposed patch from CERT
To quote CERT regarding this patch:
A patch to correct this issue in sendmail versions 8.13 is provided
below. The patch also eliminates potential integer overflows in how
sendmail handles message headers. This patch was prepared manually by
Sendmail and in our experience will generate warnings about
offsets. We've discussed this with Sendmail and believe it to be
harmless. Aside from that, CERT/CC has not verified this patch, what
issues are corrected, and how those issues are corrected.
More information can be found mentioned in the release notes for the upcoming Sendmail release: SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server and client side of sendmail with timeouts in the libsm I/O layer and fix problems in that code. Also fix handling of a buffer in sm_syslog() which could have been used as an attack vector to exploit the unsafe handling of setjmp(3)/longjmp(3) in combination with signals. Problem detected by Mark Dowd of ISS X-Force. Handle theoretical integer overflows that could triggered if the server accepted headers larger than the maximum (signed) integer value. This is prevented in the default configuration by restricting the size of a header, and on most machines memory allocations would fail before reaching those values. Problems found by Phil Brass of ISS. Note that the patch above was modified to take account of the versions we were backporting to, as on systems where time_t != int (like s390x) the patch caused a regression. In order to correct this issue for Red Hat Enterprise Linux 2.1 users, it was necessary to upgrade the version of Sendmail from 8.11 as originally shipped to Sendmail 8.12 with the addition of the security patch supplied by Sendmail Inc. The erratum therefore provides updated packages based on Sendmail 8.12 with a compatibility mode enabled. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully. This issue is now public: http://www.sendmail.org/8.13.6.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0265.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0264.html |