Subject: NetBSD Security Advisory 2001-017: sendmail(8) incorrect command line argument check
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 09/06/2001 10:03:49
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2001-017
=================================
Topic: sendmail(8) incorrect command line argument check leads to
local root privilege compromise
Version: NetBSD-current: source prior to August 22, 2001
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4 branch: not-affected
pkgsrc: sendmail prior to 8.11.6
Severity: Local root compromise
Fixed: NetBSD-current: August 21, 2001
NetBSD-1.5 branch: August 22, 2001
pkgsrc: sendmail-8.11.6
Abstract
========
The following text is from sendmail 8.11.6 release note:
SECURITY: Fix a possible memory access violation when specifying
out-of-bounds debug parameters. Problem detected by
Cade Cairns of SecurityFocus.
Technical Details
=================
Certain variables were treated as signed values, but should have been
unsigned. Bounds checking was not done when incrementing an index.
Combined with supplied command-line arguments, a local user could
exploit the setuid-root sendmail binary and the lack of bounds checking
to perform a root compromise.
Solutions and Workarounds
=========================
If your system is running a sendmail version between 8.10.0 to 8.11.5,
your system is vulnerable. Sendmail 8.11.6 is safe. Check
/usr/libexec/sendmail/sendmail.
After the upgrade of the binary file, be sure to restart any instances
of a sendmail daemon running on your system.
* All NetBSD releases using sendmail from pkgsrc between 8.10.0 and 8.11.5:
If you are using sendmail from pkgsrc, upgrade to the
following, or later:
sendmail-8.11.6
* NetBSD-current:
Systems running NetBSD-current dated from before 2001-08-21
should be upgraded to NetBSD-current dated 2001-08-22 or later.
The following directory needs to be updated from the
netbsd-current CVS branch (aka HEAD):
gnu/dist/sendmail
gnu/usr.sbin/sendmail
To update from CVS, re-build, and re-install sendmail:
# cd /usr/src/gnu
# cvs update -d -P dist/sendmail usr.sbin/sendmail
# cd usr.sbin/sendmail
# make cleandir all install
Alternatively, apply the following patch (with potential offset
differences) and rebuild & re-install sendmail:
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch
To patch, re-build and re-install sendmail
# cd /usr/src
# patch < /path/to/SA2001-017-sendmail.patch
# cd gnu/usr.sbin/sendmail
# make cleandir all install
* NetBSD 1.5, 1.5.1
Systems running NetBSD releases on netbsd 1.5 branch (1.5 and 1.5.1)
should be upgraded to NetBSD 1.5 branch dated 2001-08-23 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
gnu/dist/sendmail
gnu/usr.sbin/sendmail
To update from CVS, re-build, and re-install sendmail:
# cd /usr/src/gnu
# cvs update -d -P -r netbsd-1-5 dist/sendmail usr.sbin/sendmail
# cd usr.sbin/sendmail
# make cleandir all install
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch
To patch, re-build and re-install sendmail
# cd /usr/src
# patch < /path/to/SA2001-017-sendmail.patch
# cd gnu/usr.sbin/sendmail
# make cleandir all install
Thanks To
=========
Jun-ichiro itojun Hagino for patches.
Cade Cairns of SecurityFocus for discovering the issue.
Revision History
================
2001-09-06 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-017.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2001-017.txt,v 1.8 2001/09/06 14:46:04 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBO5eQbD5Ru2/4N2IFAQHh7wP6AoAVVkseqJCW0ig3n1RGOOGRHWyJ4Je/
qgRO6x0vWEJpIp32fIILQtTLAl2dimrJSi6ApBdl0/7d4EBo4l+rnELbI0sKJaj2
vcxgrhsL6rtUfhW8/qH9Gwr106sy78OMTuHrElEBrwuoy+T1XqTcXJGOwR1Rp1py
BWbKwI4jGws=
=1y/j
-----END PGP SIGNATURE-----