Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1102174 - (CVE-2014-3956) CVE-2014-3956 sendmail: Properly set the close-on-exec flag for file descriptors
CVE-2014-3956 sendmail: Properly set the close-on-exec flag for file descriptors
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140521,reported=2...
: Security
Depends On: 1104553
Blocks: 1102177
  Show dependency treegraph
 
Reported: 2014-05-28 10:42 EDT by Vasyl Kaigorodov
Modified: 2014-11-21 07:04 EST (History)
3 users (show)

See Also:
Fixed In Version: sendmail-8.14.9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-21 07:04:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch generated from diff of 8.14.8 to 8.14.9 (483 bytes, patch)
2014-05-30 10:01 EDT, Vincent Danen 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vasyl Kaigorodov 2014-05-28 10:42:13 EDT 
Upstream released version 8.14.9 of sendmail [1] which fixes one security related bug by properly closing file descriptors (except stdin, stdout, and stderr) before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer).

[1]: http://www.sendmail.com/sm/open_source/download/8.14.9/?show_rs=1
Comment 1 Vincent Danen 2014-05-30 10:01:26 EDT 
Created attachment 900848 [details]
patch generated from diff of 8.14.8 to 8.14.9

I can't find a CVS repository for sendmail, so this was generated by manually diffing and removing everything that was obviously not related.  This seems to be the required patch.
Comment 2 Jaroslav Škarvada 2014-06-02 08:10:06 EDT 
Thanks for the diff.

Will you open Fedora / RHEL bugs?

Several places were already covered by selinux, that's the purpose of e.g. milterfdleaks patch, which now seems to be obsoleted.
Comment 3 Murray McAllister 2014-06-03 02:31:46 EDT 
CVE request: http://seclists.org/oss-sec/2014/q2/400
Comment 4 Murray McAllister 2014-06-04 04:24:57 EDT 
MITRE assigned CVE-2014-3956 to this issue:

http://seclists.org/oss-sec/2014/q2/426
Comment 5 Murray McAllister 2014-06-04 04:26:47 EDT 
Created sendmail tracking bugs for this issue:

Affects: fedora-all [bug 1104553]
Comment 6 Fedora Update System 2014-06-13 01:31:49 EDT 
sendmail-8.14.8-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-06-19 19:00:39 EDT 
sendmail-8.14.7-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Martin Prpič 2014-11-21 07:04:50 EST 
Statement:

This issue affects the versions of sendmail as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.