[9134] in bugtraq
Re: Sendmail 8.8.x/8.9.x bugware
daemon@ATHENA.MIT.EDU (Nic Bellamy)
Wed Jan 20 13:08:56 1999
Date: Wed, 20 Jan 1999 16:47:25 +1300
Reply-To: Nic Bellamy <nic.b@IHUG.CO.NZ>
From: Nic Bellamy <nic.b@IHUG.CO.NZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9812120151260.2558-100000@nimue.ids.pl>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--936542718-202716889-916804045=:22212
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sat, 12 Dec 1998, Michal Zalewski wrote:
> 2. 'Headers prescan' DoS
>
> There are possible DoS attacks due to ineffective headers prescan
> algorithm. Two or three medium-size (200 kb) mail messages may render
> system unusable for quite long period of time (as headers are parsed at
> least twice, on message collection and in queue). Exploit sold separately
> :-)
Hi,
After thinking that we may need more header lines allowed for when
we need to do mailouts to large numbers of our users, I've written up a
slightly nicer version of Michals patch that allows the maximum number of
header lines to be set in sendmail.cf. It saves on recompiles :-)
For sendmail.cf:
O MaxHeaderLines=<number>
For M4 configuration:
define(`confMAX_HEADER_LINES',<number>)dnl
The patch is attached, and should have an MD5 signature of
f38ff30ea30ec0c2b2000f4586b03a0b. Michals patch will need to be removed
(patch -R) before application.
Regards,
Nic.
+------ Nic Bellamy <nic.b@ihug.co.nz> -----+
| UN*X Programmer, The Internet Group (NZ). |
| http://www.ihug.co.nz/ |
+-------------------------------------------+
--936542718-202716889-916804045=:22212
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="MaxHeaderLines.diff"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.990120164725.22212B@router.gnuflat.linux.net.nz>
Content-Description:
ZGlmZiAtcnVOIHNlbmRtYWlsLTguOS4yLWNsZWFuL2NmL200L3Byb3RvLm00
IHNlbmRtYWlsLTguOS4yL2NmL200L3Byb3RvLm00DQotLS0gc2VuZG1haWwt
OC45LjItY2xlYW4vY2YvbTQvcHJvdG8ubTQJV2VkIERlYyAzMCAwNjo0Mjow
NyAxOTk4DQorKysgc2VuZG1haWwtOC45LjIvY2YvbTQvcHJvdG8ubTQJV2Vk
IEphbiAyMCAxNToyMjoyMSAxOTk5DQpAQCAtNDc4LDYgKzQ3OCwxMCBAQA0K
IGAjIE1heGltdW0gTUlNRSBoZWFkZXIgbGVuZ3RoIHRvIHByb3RlY3QgTVVB
cw0KIE8gTWF4TWltZUhlYWRlckxlbmd0aD1jb25mTUFYX01JTUVfSEVBREVS
X0xFTkdUSA0KICcpDQoraWZkZWYoYGNvbmZNQVhfSEVBREVSX0xJTkVTJywN
CitgIyBNYXhpbXVtIG51bWJlciBvZiBoZWFkZXIgbGluZXMgdG8gcHJvdGVj
dCBhZ2FpbnN0IGRlbmlhbCBvZiBzZXJ2aWNlIGF0dGFja3MNCitPIE1heEhl
YWRlckxpbmVzPWNvbmZNQVhfSEVBREVSX0xJTkVTDQorJykNCiANCiAjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiAjICAgTWVzc2FnZSBwcmVjZWRl
bmNlcyAgICMNCmRpZmYgLXJ1TiBzZW5kbWFpbC04LjkuMi1jbGVhbi9zcmMv
Y29sbGVjdC5jIHNlbmRtYWlsLTguOS4yL3NyYy9jb2xsZWN0LmMNCi0tLSBz
ZW5kbWFpbC04LjkuMi1jbGVhbi9zcmMvY29sbGVjdC5jCVdlZCBEZWMgMzAg
MDY6NDI6MTggMTk5OA0KKysrIHNlbmRtYWlsLTguOS4yL3NyYy9jb2xsZWN0
LmMJV2VkIEphbiAyMCAxNToxOTozNyAxOTk5DQpAQCAtODIsNiArODIsNyBA
QA0KIAljaGFyIGJ1ZmJ1ZltNQVhMSU5FXTsNCiAJZXh0ZXJuIGJvb2wgaXNo
ZWFkZXIgX19QKChjaGFyICopKTsNCiAJZXh0ZXJuIHZvaWQgdGZlcnJvciBf
X1AoKEZJTEUgKnZvbGF0aWxlLCBFTlZFTE9QRSAqKSk7DQorCWludCBoZWFk
ZXJfbGluZXMgPSAwOw0KIA0KIAloZWFkZXJvbmx5ID0gaGRycCAhPSBOVUxM
Ow0KIA0KQEAgLTMyOSw2ICszMzAsMTggQEANCiAJCQl7DQogCQkJCW1zdGF0
ZSA9IE1TX0JPRFk7DQogCQkJCWdvdG8gbmV4dHN0YXRlOw0KKwkJCX0NCisN
CisJCQloZWFkZXJfbGluZXMrKzsNCisJCQlpZiAoTWF4SGVhZGVyTGluZXMg
PiAwDQorCQkJCQkmJiBoZWFkZXJfbGluZXMgPiBNYXhIZWFkZXJMaW5lcykN
CisJCQl7DQorCQkJCXNtX3N5c2xvZyhMT0dfTk9USUNFLCBlLT5lX2lkLA0K
KwkJCQkJCSJFeGNlc3NpdmUgaGVhZGVycyBmcm9tICVzIGR1cmluZyBtZXNz
YWdlIGNvbGxlY3QiLCBDdXJIb3N0TmFtZSA/IEN1ckhvc3ROYW1lIDogIjxs
b2NhbCBtYWNoaW5lPiIpOw0KKwkJCQllcnJubyA9IDA7DQorCQkJCXVzcmVy
cigiNDUxIEV4Y2Vzc2l2ZSBoZWFkZXJzICglZCkuIiwNCisJCQkJCQlNYXhI
ZWFkZXJMaW5lcyk7DQorCQkJCWdvdG8gcmVhZGVycjsNCiAJCQl9DQogDQog
CQkJLyogY2hlY2sgZm9yIHBvc3NpYmxlIGNvbnRpbnVhdGlvbiBsaW5lICov
DQpkaWZmIC1ydU4gc2VuZG1haWwtOC45LjItY2xlYW4vc3JjL3JlYWRjZi5j
IHNlbmRtYWlsLTguOS4yL3NyYy9yZWFkY2YuYw0KLS0tIHNlbmRtYWlsLTgu
OS4yLWNsZWFuL3NyYy9yZWFkY2YuYwlXZWQgRGVjIDMwIDA2OjQyOjIyIDE5
OTgNCisrKyBzZW5kbWFpbC04LjkuMi9zcmMvcmVhZGNmLmMJV2VkIEphbiAy
MCAxNToyNjowNCAxOTk5DQpAQCAtMTUyNyw2ICsxNTI3LDggQEANCiAjZGVm
aW5lIE9fQ09OVFJPTFNPQ0tFVAkweGE5DQogCXsgIkNvbnRyb2xTb2NrZXRO
YW1lIiwJCU9fQ09OVFJPTFNPQ0tFVCwJRkFMU0UJfSwNCiAjZW5kaWYNCisj
ZGVmaW5lIE9fTUFYSEVBREVSTElORVMgMHhhYQ0KKwl7ICJNYXhIZWFkZXJM
aW5lcyIsCQlPX01BWEhFQURFUkxJTkVTLAlGQUxTRSAgIH0sDQogCXsgTlVM
TCwJCQkJJ1wwJywJCUZBTFNFCX0NCiB9Ow0KIA0KQEAgLTI0NjUsNiArMjQ2
NywxNiBAQA0KIAkJQ29udHJvbFNvY2tldE5hbWUgPSBuZXdzdHIodmFsKTsN
CiAJCWJyZWFrOw0KICNlbmRpZg0KKwkgIGNhc2UgT19NQVhIRUFERVJMSU5F
UzoNCisJCU1heEhlYWRlckxpbmVzID0gYXRvaSh2YWwpOw0KKwkJaWYgKE1h
eEhlYWRlckxpbmVzIDwgMTI4KQ0KKwkJew0KKwkJCXByaW50ZigiV2Fybmlu
ZzogTWF4SGVhZGVyTGluZXM6IG1heCBsaW5lcyBsb3dlciB0aGFuIDEyOFxu
Iik7DQorCQl9DQorCQllbHNlIGlmIChNYXhIZWFkZXJMaW5lcyA+IDEwMjQw
KQ0KKwkJew0KKwkJCXByaW50ZigiV2FybmluZzogTWF4SGVhZGVyTGluZXM6
IG1heCBsaW5lcyBsYXJnZXIgdGhhbiAxMDI0MCAtIG1heSBub3QgcHJvdGVj
dCBhZ2FpbnN0IGF0dGFja3NcbiIpOw0KKwkJfQ0KIA0KIAkgIGRlZmF1bHQ6
DQogCQlpZiAodFRkKDM3LCAxKSkNCmRpZmYgLXJ1TiBzZW5kbWFpbC04Ljku
Mi1jbGVhbi9zcmMvc2VuZG1haWwuaCBzZW5kbWFpbC04LjkuMi9zcmMvc2Vu
ZG1haWwuaA0KLS0tIHNlbmRtYWlsLTguOS4yLWNsZWFuL3NyYy9zZW5kbWFp
bC5oCVdlZCBEZWMgMzAgMDY6NDI6MTkgMTk5OA0KKysrIHNlbmRtYWlsLTgu
OS4yL3NyYy9zZW5kbWFpbC5oCVdlZCBKYW4gMjAgMTU6MjE6NDUgMTk5OQ0K
QEAgLTEyOTEsNiArMTI5MSw3IEBADQogCQkJCQkvKiBzYXZlZCB1c2VyIGVu
dmlyb25tZW50ICovDQogRVhURVJOIGludAlNYXhNaW1lSGVhZGVyTGVuZ3Ro
OwkvKiBtYXhpbXVtIE1JTUUgaGVhZGVyIGxlbmd0aCAqLw0KIEVYVEVSTiBp
bnQJTWF4TWltZUZpZWxkTGVuZ3RoOwkvKiBtYXhpbXVtIE1JTUUgZmllbGQg
bGVuZ3RoICovDQorRVhURVJOIGludAlNYXhIZWFkZXJMaW5lczsJCS8qIG1h
eGltdW0gbnVtYmVyIG9mIGhlYWRlciBsaW5lcyAqLw0KIA0KIGV4dGVybiBp
bnQJZXJybm87DQogDQo=
--936542718-202716889-916804045=:22212--
