Subject: NetBSD Security Advisory 2001-017: sendmail(8) incorrect command line argument check
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 09/06/2001 10:03:49
-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-017
                 =================================

Topic:		sendmail(8) incorrect command line argument check leads to
		local root privilege compromise

Version:	NetBSD-current:		source prior to August 22, 2001
		NetBSD-1.5.1:		affected
		NetBSD-1.5:		affected
		NetBSD-1.4 branch:	not-affected
		pkgsrc:		        sendmail prior to 8.11.6

Severity:	Local root compromise

Fixed:		NetBSD-current:		August 21, 2001
		NetBSD-1.5 branch:	August 22, 2001
		pkgsrc:		        sendmail-8.11.6


Abstract
========

The following text is from sendmail 8.11.6 release note:

SECURITY: Fix a possible memory access violation when specifying
out-of-bounds debug parameters.  Problem detected by
Cade Cairns of SecurityFocus.


Technical Details
=================

Certain variables were treated as signed values, but should have been
unsigned.  Bounds checking was not done when incrementing an index.

Combined with supplied command-line arguments, a local user could
exploit the setuid-root sendmail binary and the lack of bounds checking
to perform a root compromise.


Solutions and Workarounds
=========================

If your system is running a sendmail version between 8.10.0 to 8.11.5,
your system is vulnerable.  Sendmail 8.11.6 is safe.  Check
/usr/libexec/sendmail/sendmail.

After the upgrade of the binary file, be sure to restart any instances
of a sendmail daemon running on your system.

* All NetBSD releases using sendmail from pkgsrc between 8.10.0 and 8.11.5:

	If you are using sendmail from pkgsrc, upgrade to the
	following, or later:
                sendmail-8.11.6


* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-08-21
	should be upgraded to NetBSD-current dated 2001-08-22 or later.

        The following directory needs to be updated from the
        netbsd-current CVS branch (aka HEAD):
                gnu/dist/sendmail
		gnu/usr.sbin/sendmail

        To update from CVS, re-build, and re-install sendmail:
                # cd /usr/src/gnu
                # cvs update -d -P dist/sendmail usr.sbin/sendmail
		# cd usr.sbin/sendmail
                # make cleandir all install


        Alternatively, apply the following patch (with potential offset 
        differences) and rebuild & re-install sendmail:
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch

        To patch, re-build and re-install sendmail
                # cd /usr/src
                # patch < /path/to/SA2001-017-sendmail.patch
		# cd gnu/usr.sbin/sendmail
                # make cleandir all install    


* NetBSD 1.5, 1.5.1

        Systems running NetBSD releases on netbsd 1.5 branch (1.5 and 1.5.1)
        should be upgraded to NetBSD 1.5 branch dated 2001-08-23 or later.

        The following directories need to be updated from the
        netbsd-1-5 CVS branch:
                gnu/dist/sendmail
		gnu/usr.sbin/sendmail

        To update from CVS, re-build, and re-install sendmail:
                # cd /usr/src/gnu
                # cvs update -d -P -r netbsd-1-5 dist/sendmail usr.sbin/sendmail
		# cd usr.sbin/sendmail
                # make cleandir all install


        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch

        To patch, re-build and re-install sendmail
                # cd /usr/src
                # patch < /path/to/SA2001-017-sendmail.patch
		# cd gnu/usr.sbin/sendmail
                # make cleandir all install    


Thanks To
=========

Jun-ichiro itojun Hagino for patches.

Cade Cairns of SecurityFocus for discovering the issue.


Revision History
================

	2001-09-06      Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-017.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-017.txt,v 1.8 2001/09/06 14:46:04 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO5eQbD5Ru2/4N2IFAQHh7wP6AoAVVkseqJCW0ig3n1RGOOGRHWyJ4Je/
qgRO6x0vWEJpIp32fIILQtTLAl2dimrJSi6ApBdl0/7d4EBo4l+rnELbI0sKJaj2
vcxgrhsL6rtUfhW8/qH9Gwr106sy78OMTuHrElEBrwuoy+T1XqTcXJGOwR1Rp1py
BWbKwI4jGws=
=1y/j
-----END PGP SIGNATURE-----