Subject: pkg/22836: updated package: mail/sendmail
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <adrianp@stindustries.net>
List: netbsd-bugs
Date: 09/17/2003 21:13:45
>Number: 22836
>Category: pkg
>Synopsis: updated package: mail/sendmail
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Sep 17 21:14:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Adrian Portelli
>Release: 1.6.1
>Organization:
STIndustries
>Environment:
NetBSD homer.stindustries.org.uk 1.6.1 NetBSD 1.6.1 (HOMER) #0: Sat Aug 16 17:25:05 BST 2003 root@homer.stindustries.org.uk:/usr/src/sys/arch/i386/compile/HOMER i386
>Description:
mail/sendmail in pkgsrc is at 8.12.9 while 8.12.10 is now available from sendmail.org.
For some reason the current pkg-vulnerabilities file thinks this release has a known vulnerability. I had to force an install with ALLOW_VULNERABLE_PACKAGES=YES to get it installed.
This release fixes a known security issue with sendmail < 8.12.10.
From www.sendmail.org:
8.12.10/8.12.10 2003/09/24
SECURITY: Fix a buffer overflow in address parsing. Problem
detected by Michal Zalewski, patch from Todd C. Miller
of Courtesan Consulting.
Fix a potential buffer overflow in ruleset parsing. This problem
is not exploitable in the default sendmail configuration;
only if non-standard rulesets recipient (2), final (4), or
mailer-specific envelope recipients rulesets are used then
a problem may occur. Problem noted by Timo Sirainen.
Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength.
Problem noted by Thomas Schulz.
Add several checks to avoid (theoretical) buffer over/underflows.
Properly count message size when performing 7->8 or 8->7 bit MIME
conversions. Problem noted by Werner Wiethege.
Properly compute message priority based on size of entire message,
not just header. Problem noted by Axel Holscher.
Reset SevenBitInput to its configured value between SMTP
transactions for broken clients which do not properly
announce 8 bit data. Problem noted by Stefan Roehrich.
Set {addr_type} during queue runs when processing recipients.
Based on patch from Arne Jansen.
Better error handling in case of (very unlikely) queue-id conflicts.
Perform better error recovery for address parsing, e.g., when
encountering a comment that is too long. Problem noted by
Tanel Kokk, Union Bank of Estonia.
Add ':' to the allowed character list for bogus HELO/EHLO
checking. It is used for IPv6 domain literals. Patch from
Iwaizako Takahiro of FreeBit Co., Ltd.
Reset SASL connection context after a failed authentication attempt.
Based on patch from Rob Siemborski of CMU.
Check Berkeley DB compile time version against run time version
to make sure they match.
Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled
in the kernel.
When a milter adds recipients and one of them causes an error,
do not ignore the other recipients. Problem noted by
Bart Duchesne.
CONFIG: Use specified SMTP error code in mailertable entries which
lack a DSN, i.e., "error:### Text". Problem noted by
Craig Hunt.
CONFIG: Call Local_trust_auth with the correct argument. Patch
from Jerome Borsboom.
CONTRIB: Better handling of temporary filenames for doublebounce.pl
and expn.pl to avoid file overwrites, etc. Patches from
Richard A. Nelson of Debian and Paul Szabo.
MAIL.LOCAL: Fix obscure race condition that could lead to an
improper mailbox truncation if close() fails after the
mailbox is fsync()'ed and a new message is delivered
after the close() and before the truncate().
MAIL.LOCAL: If mail delivery fails, do not leave behind a
stale lockfile (which is ignored after the lock timeout).
Patch from Oleg Bulyzhin of Cronyx Plus LLC.
Portability:
Port for AIX 5.2. Thanks to Steve Hubert of University
of Washington for providing access to a computer
with AIX 5.2.
setreuid(2) works on OpenBSD 3.3. Patch from
Todd C. Miller of Courtesan Consulting.
Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH
on all operating systems. Patch from Robert Harker
of Harker Systems.
Use strerror(3) on Linux. If this causes a problem on
your Linux distribution, compile with
-DHASSTRERROR=0 and tell sendmail.org about it.
Added Files:
devtools/OS/AIX.5.2
>How-To-Repeat:
cd mail/sendmail && make show-var VARNAME=DISTFILE
>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/mail/sendmail/Makefile,v
retrieving revision 1.62
diff -u -r1.62 Makefile
--- Makefile 2003/09/15 11:59:11 1.62
+++ Makefile 2003/09/17 21:11:41
@@ -3,7 +3,6 @@
.include "../../mail/sendmail/Makefile.common"
PKGNAME= sendmail-${DIST_VERS}
-PKGREVISION= 5
COMMENT= The well known Mail Transport Agent
MESSAGE_SRC= ${WRKDIR}/.MESSAGE_SRC
Index: Makefile.common
===================================================================
RCS file: /cvsroot/pkgsrc/mail/sendmail/Makefile.common,v
retrieving revision 1.9
diff -u -r1.9 Makefile.common
--- Makefile.common 2003/09/15 11:59:12 1.9
+++ Makefile.common 2003/09/17 21:11:41
@@ -19,7 +19,7 @@
FILESDIR?= ${.CURDIR}/../../mail/sendmail/files
PATCHDIR?= ${.CURDIR}/../../mail/sendmail/patches
-DIST_VERS= 8.12.9
+DIST_VERS= 8.12.10
MAKE_ENV+= BSD_BINOWN="${BINOWN}" BSD_BINGRP="${BINGRP}" \
BSD_MANOWN="${MANOWN}" BSD_MANGRP="${MANGRP}" \
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/mail/sendmail/distinfo,v
retrieving revision 1.12
diff -u -r1.12 distinfo
--- distinfo 2003/09/15 11:47:28 1.12
+++ distinfo 2003/09/17 21:11:41
@@ -1,7 +1,7 @@
$NetBSD: distinfo,v 1.12 2003/09/15 11:47:28 markd Exp $
-SHA1 (sendmail.8.12.9.tar.gz) = c53bb2ebe694a6f20e3d2f1dbfedc6be9409f37c
-Size (sendmail.8.12.9.tar.gz) = 1886008 bytes
+SHA1 (sendmail.8.12.10.tar.gz) = e3141713ebba36ef1ea6eb7c34603f3340dea84f
+Size (sendmail.8.12.10.tar.gz) = 1892497 bytes
SHA1 (patch-aa) = 8a4563ece8ba8cee01081d49e486393f26ee1484
SHA1 (patch-ab) = a2abf6e78772e257e2a1973e7730159ff24a91aa
SHA1 (patch-ac) = 96c19300b4188dbcbd202768eea912f675dadc27
>Release-Note:
>Audit-Trail:
>Unformatted: