[2297] in bugtraq
Re: Sendmail 8.7, 8.7.1
daemon@ATHENA.MIT.EDU (SnoCrash)
Tue Oct 10 16:46:27 1995
Date: Tue, 10 Oct 1995 15:13:19 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: SnoCrash <spew@J51.COM>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <9510100815.AA15978@aft-ms.Holland.Sun.COM>
On Tue, 10 Oct 1995, Casper Dik wrote:
> >Who knows what the root-shell-giving security hole is in Sendmail 8.6.12
> >that was incompletely patched in 8.7, and (supposedly) finally patched
> >in 8.7.1?
>
> It's just syslog() overruning the stack again. There's also another problem
> which causes the datas segment to be overrun, but that's not as easy
> to abuse (if at all).
There also seems to be some sort of problem with body types.
The following is quoted from the the Sendmail 8.7.1 RELEASE_NOTES file:
"Fix a problem that might cause a non-standard -B (body type)
parameter to be passed to the next server with undefined
results. This could have security implications."
Anyone have a clue as to what these "Security Implications" are?
The patch included follows... pretty easy to understand.
<begin patch to src/main.c>
***************
*** 789,795 ****
else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0)
SevenBitInput = FALSE;
else
! usrerr("Illegal body type %s", optarg);
/* Enforce use of local time (null string overrides this) */
if (TimeZoneSpec == NULL)
--- 789,798 ----
else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0)
SevenBitInput = FALSE;
else
! {
! usrerr("Illegal body type %s", CurEnv->e_bodytype);
! CurEnv->e_bodytype = NULL;
! }
/* Enforce use of local time (null string overrides this) */
if (TimeZoneSpec == NULL)
<end patch>
I haven't had time to play around with body types yet, although this bug
seems to be patched, we can never be sure with sendmail. :)
