Bug 184465 - CVE-2006-0058 Sendmail race condition issue
CVE-2006-0058 Sendmail race condition issue
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sendmail (Show other bugs)
4.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Thomas Woerner
David Lawrence
source=cert,reported=20060308,embargo...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-08 18:09 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2006-0264
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-22 11:09:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch from CERT (70.62 KB, patch)
2006-03-08 18:13 EST, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2006-03-08 18:09:43 EST
Sendmail race condition issue

CERT has reported a race condition issue in sendmail which may lead to
arbitrary remote code execution.

CERT has assinged this issue the name VU#834865


This issue also affects RHEL3
This issue also affects RHEL2.1
Comment 1 Josh Bressers 2006-03-08 18:13:46 EST
Created attachment 125842 [details]
Proposed patch from CERT

To quote CERT regarding this patch:

    A patch to correct this issue in sendmail versions 8.13 is provided
    below. The patch also eliminates potential integer overflows in how
    sendmail handles message headers. This patch was prepared manually by
    Sendmail and in our experience will generate warnings about
    offsets. We've discussed this with Sendmail and believe it to be
    harmless. Aside from that, CERT/CC has not verified this patch, what
    issues are corrected, and how those issues are corrected.
Comment 3 Mark J. Cox (Product Security) 2006-03-22 04:54:29 EST
More information can be found mentioned in the release notes for the upcoming
Sendmail release:

         SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
                 and client side of sendmail with timeouts in the libsm I/O
                 layer and fix problems in that code.  Also fix handling of
                 a buffer in sm_syslog() which could have been used as an
                 attack vector to exploit the unsafe handling of
                 setjmp(3)/longjmp(3) in combination with signals.
                 Problem detected by Mark Dowd of ISS X-Force.
         Handle theoretical integer overflows that could triggered if
                 the server accepted headers larger than the maximum
                 (signed) integer value.  This is prevented in the default
                 configuration by restricting the size of a header, and on
                 most machines memory allocations would fail before reaching
                 those values.  Problems found by Phil Brass of ISS.
Comment 4 Mark J. Cox (Product Security) 2006-03-22 04:56:18 EST
Note that the patch above was modified to take account of the versions we were
backporting to, as on systems where time_t != int (like s390x) the patch caused
a regression.  

In order to correct this issue for Red Hat Enterprise Linux 2.1 users, it was
necessary to upgrade the version of Sendmail from 8.11 as originally shipped to
Sendmail 8.12 with the addition of the security patch supplied by Sendmail Inc. 

The erratum therefore provides updated packages based on Sendmail 8.12 with a
compatibility mode enabled. After updating to these packages, users should pay
close attention to their sendmail logs to ensure that the upgrade completed
sucessfully. 
Comment 8 Josh Bressers 2006-03-22 10:56:39 EST
This issue is now public:
http://www.sendmail.org/8.13.6.html
Comment 9 Red Hat Bugzilla 2006-03-22 11:01:39 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0265.html
Comment 10 Red Hat Bugzilla 2006-03-22 11:09:10 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0264.html

Note You need to log in before you can comment on or make changes to this bug.