current-users: NetBSD Security Advisory 2006-010: Sendmail race condition

Subject: NetBSD Security Advisory 2006-010: Sendmail race condition
To: None <current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@NetBSD.org>
List: current-users
Date: 03/30/2006 02:37:02
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-010
		 =================================

Topic:		Sendmail race condition

Version:	NetBSD-current:	source prior to March 24, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:	affected
		NetBSD 2.0.*:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.*:	affected
		NetBSD 1.6:	affected
		pkgsrc:		sendmail packages prior to sendmail-8.13.5nb2
				sendmail packages prior to sendmail-8.12.11nb2

Severity:	Remote code execution with sendmail privileges

Fixed:		NetBSD-current:		March 24, 2006
		NetBSD-3-0 branch:	March 24, 2006
					   (3.0.1 will include the fix)
		NetBSD-3   branch:	March 24, 2006
		NetBSD-2-1 branch:	March 24, 2006
					   (2.1.1 will include the fix)
		NetBSD-2-0 branch:	March 24, 2006
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	March 24, 2006
		pkgsrc:			sendmail-8.13.5nb2 corrects this issue
					sendmail-8.12.11nb2 corrects this issue


Abstract
========

Sendmail is vulnerable to a race condition in the handling of asynchronous 
signals. This may allow a remote attacker to execute arbitrary code with 
the privileges of the sendmail user.

This vulnerability has been assigned CVE reference CVE-2006-0058.


Technical Details
=================

Sendmail contains a race condition caused by the improper handling of
asynchronous signals. In particular, by forcing the SMTP server to have
an I/O timeout at exactly the correct instant, an attacker may be able
to execute arbitrary code with the privileges of the Sendmail process.

Solutions and Workarounds
=========================

Sendmail by default on NetBSD is bound to localhost (127.0.0.0, ::1) and
as such is not externally reachable.

However, it is recommended that all users of affected versions update their
sendmail to include the fix.

The following instructions describe how to upgrade your sendmail
binaries by updating your source tree and rebuilding and
installing a new version of sendmail.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2006-03-23
	should be upgraded to NetBSD-current dated 2006-03-24 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		gnu/dist/sendmail/sendmail/collect.c
		gnu/dist/sendmail/sendmail/conf.c
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/headers.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/parseaddr.c
		gnu/dist/sendmail/sendmail/savemail.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/sfsasl.c
		gnu/dist/sendmail/sendmail/sfsasl.h
		gnu/dist/sendmail/sendmail/srvrsmtp.c
		gnu/dist/sendmail/sendmail/tls.c
		gnu/dist/sendmail/sendmail/usersmtp.c
		gnu/dist/sendmail/sendmail/util.c
		gnu/dist/sendmail/sendmail/version.c
		gnu/dist/sendmail/libsm/fflush.c
		gnu/dist/sendmail/libsm/local.h
		gnu/dist/sendmail/libsm/refill.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2006-03-23 should be upgraded from NetBSD 3.* sources dated
	2006-03-24 or later.

	The following files need to be updated from the
	netbsd-3 or netbsd-3-0 CVS branch:
		gnu/dist/sendmail/sendmail/collect.c
		gnu/dist/sendmail/sendmail/conf.c
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/headers.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/parseaddr.c
		gnu/dist/sendmail/sendmail/savemail.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/sfsasl.c
		gnu/dist/sendmail/sendmail/sfsasl.h
		gnu/dist/sendmail/sendmail/srvrsmtp.c
		gnu/dist/sendmail/sendmail/tls.c
		gnu/dist/sendmail/sendmail/usersmtp.c
		gnu/dist/sendmail/sendmail/util.c
		gnu/dist/sendmail/sendmail/version.c
		gnu/dist/sendmail/libsm/fflush.c
		gnu/dist/sendmail/libsm/local.h
		gnu/dist/sendmail/libsm/refill.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P -r <branch_name> gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2006-03-23 should be upgraded from NetBSD 2.* sources dated
	2006-03-24 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
		gnu/dist/sendmail/sendmail/collect.c
		gnu/dist/sendmail/sendmail/conf.c
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/headers.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/parseaddr.c
		gnu/dist/sendmail/sendmail/savemail.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/sfsasl.c
		gnu/dist/sendmail/sendmail/sfsasl.h
		gnu/dist/sendmail/sendmail/srvrsmtp.c
		gnu/dist/sendmail/sendmail/tls.c 
		gnu/dist/sendmail/sendmail/usersmtp.c
		gnu/dist/sendmail/sendmail/util.c
		gnu/dist/sendmail/sendmail/version.c
		gnu/dist/sendmail/libsm/fflush.c
		gnu/dist/sendmail/libsm/local.h
		gnu/dist/sendmail/libsm/refill.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P -r <branch_name> gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install



Thanks To
=========

CERT for notification and co-ordination of the issue.
Sendmail Consortium for supplying the patches to address the issue.
Christos Zoulas for implementing the fixes.

Revision History
================

	2006-03-29	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-010.txt,v 1.5 2006/03/29 19:52:50 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (NetBSD)

iQCVAwUBRCsC3D5Ru2/4N2IFAQLgswQAyWsnHHM017c4NP0vvPh6hKn/MYjpZGB7
1meGsumrd3JsPUj4j30GR3RXeqw2Kf0RGOrnwz7aIVibXdX05jxjl+8GpBSU2xkI
eZ//s8n7gIe3gvaOTpqLRdBo6mi9aGY0BZhHA7ZoHsW2cQ7JZXnhdl3QzJ3qUQaA
D8pG/zZ/cMc=
=1u2y
-----END PGP SIGNATURE-----