Bug 1102174 (CVE-2014-3956) - CVE-2014-3956 sendmail: Properly set the close-on-exec flag for file descriptors
Summary: CVE-2014-3956 sendmail: Properly set the close-on-exec flag for file descriptors
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-3956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140521,reported=2...
Depends On: 1104553
Blocks: 1102177
TreeView+ depends on / blocked
 
Reported: 2014-05-28 14:42 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:03 UTC (History)
3 users (show)

Fixed In Version: sendmail-8.14.9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-21 12:04:50 UTC


Attachments (Terms of Use)
patch generated from diff of 8.14.8 to 8.14.9 (483 bytes, patch)
2014-05-30 14:01 UTC, Vincent Danen
no flags Details | Diff

Description Vasyl Kaigorodov 2014-05-28 14:42:13 UTC
Upstream released version 8.14.9 of sendmail [1] which fixes one security related bug by properly closing file descriptors (except stdin, stdout, and stderr) before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer).

[1]: http://www.sendmail.com/sm/open_source/download/8.14.9/?show_rs=1

Comment 1 Vincent Danen 2014-05-30 14:01:26 UTC
Created attachment 900848 [details]
patch generated from diff of 8.14.8 to 8.14.9

I can't find a CVS repository for sendmail, so this was generated by manually diffing and removing everything that was obviously not related.  This seems to be the required patch.

Comment 2 Jaroslav Škarvada 2014-06-02 12:10:06 UTC
Thanks for the diff.

Will you open Fedora / RHEL bugs?

Several places were already covered by selinux, that's the purpose of e.g. milterfdleaks patch, which now seems to be obsoleted.

Comment 3 Murray McAllister 2014-06-03 06:31:46 UTC
CVE request: http://seclists.org/oss-sec/2014/q2/400

Comment 4 Murray McAllister 2014-06-04 08:24:57 UTC
MITRE assigned CVE-2014-3956 to this issue:

http://seclists.org/oss-sec/2014/q2/426

Comment 5 Murray McAllister 2014-06-04 08:26:47 UTC
Created sendmail tracking bugs for this issue:

Affects: fedora-all [bug 1104553]

Comment 6 Fedora Update System 2014-06-13 05:31:49 UTC
sendmail-8.14.8-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-06-19 23:00:39 UTC
sendmail-8.14.7-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Martin Prpič 2014-11-21 12:04:50 UTC
Statement:

This issue affects the versions of sendmail as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.