Bug 504186
Summary: | sendmail may use sasl_encode64() improperly | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | jchadima, mlichvar, security-response-team, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-06-18 07:14:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 487251 |
Description
Vincent Danen
2009-06-04 16:37:09 UTC
For the sake of completeness - in sendmail, sasl_encode64() is also used in sendmail/srvrsmtp.c. Buffer to store base64 encoded representation of the authentication string is allocated dynamically. Size if computed using the ENC64LEN macro, which does not return value that is multiple of 4, and hence sasl_encode64 will always null-terminate or return error. Uses of sasl_encode64 in sendmail/usersmtp.c are harmless too. Output buffer to store base64-encoded string - in64 - is only used as an argument to smtpmessage(). in64 can only be missing proper null termination when is got fully filled by sasl_encode64(), i.e. MAXOUTLEN (8192) bytes were written to it. smtpmessage() accepts printf-like arguments (format string + arguments) and uses sendmail-specific vsnprintf-like function sm_vsnprintf to prepare the output string in the intermediate buffer SmtpMsgBuffer. Size of the buffer is MAXLINE (2048), hence memory locate after in64 will not be copied it, so memory disclosure is not possible. Only remaining risk is that in64 is printed to the output buffer using '%s' format, which internally calls strlen on the argument. This strlen call can over-read in64 buffer, but can not reach far enough to trigger SEGV, as it stops at the first '\0' byte anywhere on the stack above in64 (e.g. main's argc / argv, or area storing args and environment variables located above the stack). No security implications. |