Bug 195418

Summary: CVE-2006-1173 Sendmail - Deeply nested malformed MIME denial of service attack
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: sendmailAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkeating, marc.deslauriers, sheltren, tmeader
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/146718
Whiteboard: LEGACY, rh73, rh90, 1, 2, 3
Fixed In Version: FLSA-2006:195418 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-29 09:38:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eisenstein 2006-06-15 04:37:55 UTC 
Description of problem:
Sendmail does not properly handle malformed multipart MIME messages. This
vulnerability may allow a remote, unauthenticated attacker to cause a
denial-of-service condition.

Version-Release number of selected component (if applicable):
Apparently all Legacy releases.


Additional info:

Red Hat issued RHSA-2006-0515 today for CVE-2006-1173 for RHEL 2.1, 
RHEL 3, and RHEL 4.  This issue was rated as having an important impact
by the Red Hat Security Response Team.
    http://rhn.redhat.com/errata/RHSA-2006-0515.html

"A flaw in the handling of multi-part MIME messages was discovered in
Sendmail.  A remote attacker could create a carefully crafted message that
could crash the sendmail process during delivery (CVE-2006-1173).  By
default on Red Hat Enterprise Linux, Sendmail is configured to only accept
connections from the local host. Therefore, only users who have configured
Sendmail to listen to remote hosts would be remotely vulnerable to this issue.
                                                                                
"Users of Sendmail are advised to upgrade to these erratum packages, which
contain a backported patch from the Sendmail team to correct this issue."

References:
   * http://www.kb.cert.org/vuls/id/146718
   * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173
   * Sendmail advisory "Sendmail-SA-200605-01":
     http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc
Comment 1 David Eisenstein 2006-06-15 04:39:51 UTC 
Am building packages for RHL 7.3, RHL 9, FC1, FC2, FC3.
Comment 2 David Eisenstein 2006-06-16 01:42:22 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are some .src.rpm for PUBLISH (Source) QA for sendmail, fixing 
CVE-2006-1173.  Patches were obtained from RHEL 3 (for all sendmail-
8.12.11-*-legacy) and RHEL 4 (for sendmail-8.13.1-3.fc3.1.legacy).


  http://fedoralegacy.org/contrib/sendmail/

===========SHA1SUMS=====================__========Packages===============

0c11bdb206636c3dfefab41b93a2be0515a73a28__RH73/sendmail-8.12.11-4.22.11.legacy.src.rpm
9d078a6cf4d539894bd3d6c5dde06d38fa3f35cf__RH9/sendmail-8.12.11-4.24.4.legacy.src.rpm
6e8d25242fb6fd1d58cf8214997a128089058156__FC1/sendmail-8.12.11-4.25.4.legacy.src.rpm
b5f8f517939a769b89f99af59408bae53849f0d7__FC2/sendmail-8.12.11-4.26.1.legacy.src.rpm
aadb524e6ea8536471aa6f6f93521df31ff01fc1__FC3/sendmail-8.13.1-3.fc3.1.legacy.src.rpm


Typical RH73, RH9, FC1, FC2 changelogs:

* Wed Jun 14 2006 David Eisenstein <deisenst@...> 8.12.11-(release).legacy
- - Fold in patch for CVE-2006-1173 from RHEL 3.  (Next two changelog items).
- - Bug #195418
                                                                                
* Fri Jun  9 2006 Thomas Woerner <twoerner@...> 8.12.11-4.RHEL3.6
- - second incarnation of patch for CVE-2006-1173 (VU#146718)
                                                                                
* Wed May 23 2006 Thomas Woerner <twoerner@...> 8.12.11-4.RHEL3.5
- - fixed CVE-2006-1173 (VU#146718): possible denial of service issue caused
  by malformed multipart messages (#191203)
                                                                                

FC3 changelog:

* Wed Jun 14 2006 David Eisenstein <deisenst> 8.13.1-3.fc3.1.legacy
- - Fold in patch for CVE-2006-1173 from RHEL 4.  (Next two changelog items).
- - Bug #195418
                                                                                
* Fri Jun  9 2006 Thomas Woerner <twoerner> 8.13.1-3.RHEL4.5
- - second incarnation of patch for CVE-2006-1173 (VU#146718)
                                                                                
* Wed May 23 2006 Thomas Woerner <twoerner> 8.13.1-3.RHEL4.4
- - fixed CVE-2006-1173 (VU#146718): possible denial of service issue caused
  by malformed multipart messages (#191203)
                                                                                

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEkgvixou1V/j9XZwRAsCSAJ0Ti/u0nhDrZ7noyO6v7PC0y3/09wCglF+N
t0zp4/3BDOogw1210GT1haA=
=Fpox
-----END PGP SIGNATURE-----
Comment 3 Jeff Sheltren 2006-06-23 11:02:46 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've done QA on the proposed packages:

0c11bdb206636c3dfefab41b93a2be0515a73a28 
rh73/sendmail-8.12.11-4.22.11.legacy.src.rpm
9d078a6cf4d539894bd3d6c5dde06d38fa3f35cf  rh9/sendmail-8.12.11-4.24.4.legacy.src.rpm
6e8d25242fb6fd1d58cf8214997a128089058156  fc1/sendmail-8.12.11-4.25.4.legacy.src.rpm
b5f8f517939a769b89f99af59408bae53849f0d7  fc2/sendmail-8.12.11-4.26.1.legacy.src.rpm
aadb524e6ea8536471aa6f6f93521df31ff01fc1  fc3/sendmail-8.13.1-3.fc3.1.legacy.src.rpm

All files match those from previous releases except for new patch:
sendmail-8.12-VU#146718.patch
That patch is identical to the one from the EL3 sendmail package,
or in the case of FC3, the patch is identical to the one from EL4.

Only spec file changes are to add the new patch, bump release and
modify the changelog.

I do have a problem with the release tag change for the FC3 package.
The old package used:
Release: 3.legacy
The new one is:
Release: 3.fc3.1.legacy

If I recall correctly, RPM will see the old release as being newer than
the new release because
a) 3 == 3
b) l > f

I see that the current FC4 sendmail package is sendmail-8.13.6.  Since FC3
uses sendmail-8.13.1, we don't really have to worry about bumping the release too
high and screwing up the upgrade path because the version in FC4 will always be
higher.
I'd suggest simply changing '3.legacy' to '4.legacy'.

Aside from that, everything looks good with all the packages.

RH73 PUBLISH++
RH9 PUBLISH++
FC1 PUBLISH++
FC2 PUBLISH++
FC3 PUBLISH++ (pending a fix to the release tag)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEm8vuKe7MLJjUbNMRAuuyAJ953nKldnDUcVf7M9z/WrCkRGIKBwCcCwqu
hnbqIdB2hvQPfcBcbOx8tS0=
=KQDT
-----END PGP SIGNATURE-----
Comment 4 David Eisenstein 2006-06-24 09:39:53 UTC 
Thanks for the QA!

Good catch, Jeff.  The release tag will be fixed during build.  Thanks.
Comment 5 Tim Meader 2006-07-18 06:04:52 UTC 
Hate to bugspam, but is there any ETA on either a release or even testing build
of the patched RPMS?
Comment 6 Marc Deslauriers 2006-07-28 02:38:18 UTC 
Packages were pushed to updates-testing
Comment 7 Tom Yates 2006-07-29 10:56:13 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

31695348a11ac9b47d5470249072f2175131bdab sendmail-8.12.11-4.24.4.legacy.i386.rpm
05c883b5a6b218f69a08c711ca71e4d14d958141 sendmail-cf-8.12.11-4.24.4.legacy.i386.rpm
7bc9aef8a1a8794eb6ad6c8496ede743bc61fd76
sendmail-devel-8.12.11-4.24.4.legacy.i386.rpm
470d3a9ada94a6d1735176050cfa94c8eefc8c70 sendmail-doc-8.12.11-4.24.4.legacy.i386.rpm

installs OK, mc file recreates fine with m4 (no major difference from
previous).  email comes and goes fine.

+VERIFY RH9


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEy0CFePtvKV31zw4RAjyzAJ46ahinbaAMclQTqM3IvyIfzYpd5ACgpydt
MuXyqoHNGIjIJ+zwOMMFgc0=
=x2IL
-----END PGP SIGNATURE-----
Comment 8 David Eisenstein 2006-08-29 07:25:32 UTC 
Thank you for the QA on this, Tom Yates.

I think according to Fedora Legacy policy, if a verify happens on at least
one of the distros/releases, then a timeout of one week is supposed to be
created after which packages should be released unless there is objection?
... and if no one does a verify vote on any of the packages, they get
released anyway after a timeout of 2 weeks or 3 weeks?

(Sorry, have been away for awhile).  Pekka used to help track these and stay on
top of them.

So bottom line -- but aren't these due for release to updates?
Comment 9 Marc Deslauriers 2006-08-29 22:41:28 UTC 
yep...these should be released...
Comment 10 David Eisenstein 2006-09-07 10:53:52 UTC 
I can't release these.  Would you please do so, Marc or Jesse?

Thanks!  -David
Comment 11 David Eisenstein 2006-10-29 09:38:22 UTC 
Released to updates.

Announcement:
<http://www.redhat.com/archives/fedora-legacy-announce/2006-October/msg00000.html>
Comment 12 Paul Stauffer 2006-10-30 03:29:08 UTC 
The repo metadata still needs to be updated before users will be able to update
via yum.  The announcement probably should have been held until this was done,
to avoid confusion.