Sendmail race condition issue CERT has reported a race condition issue in sendmail which may lead to arbitrary remote code execution. CERT has assinged this issue the name VU#834865 This issue also affects RHEL3 This issue also affects RHEL2.1
Created attachment 125842 [details] Proposed patch from CERT To quote CERT regarding this patch: A patch to correct this issue in sendmail versions 8.13 is provided below. The patch also eliminates potential integer overflows in how sendmail handles message headers. This patch was prepared manually by Sendmail and in our experience will generate warnings about offsets. We've discussed this with Sendmail and believe it to be harmless. Aside from that, CERT/CC has not verified this patch, what issues are corrected, and how those issues are corrected.
More information can be found mentioned in the release notes for the upcoming Sendmail release: SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server and client side of sendmail with timeouts in the libsm I/O layer and fix problems in that code. Also fix handling of a buffer in sm_syslog() which could have been used as an attack vector to exploit the unsafe handling of setjmp(3)/longjmp(3) in combination with signals. Problem detected by Mark Dowd of ISS X-Force. Handle theoretical integer overflows that could triggered if the server accepted headers larger than the maximum (signed) integer value. This is prevented in the default configuration by restricting the size of a header, and on most machines memory allocations would fail before reaching those values. Problems found by Phil Brass of ISS.
Note that the patch above was modified to take account of the versions we were backporting to, as on systems where time_t != int (like s390x) the patch caused a regression. In order to correct this issue for Red Hat Enterprise Linux 2.1 users, it was necessary to upgrade the version of Sendmail from 8.11 as originally shipped to Sendmail 8.12 with the addition of the security patch supplied by Sendmail Inc. The erratum therefore provides updated packages based on Sendmail 8.12 with a compatibility mode enabled. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully.
This issue is now public: http://www.sendmail.org/8.13.6.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0265.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0264.html