Re: Sendmail 8.6.9 security hole

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> Does anybody know details of the security hole(s) in 8.6.9 fixed in
> 8.6.10?

I intend to diff 8.6.10 against what I'm currently running, to see.
But the reason for this post is to point out a problem that should
concern anyone who turns on the ident code: it may not work.  daemon.c
contains the following sequence:

        /* send query */
        if (write(s, hbuf, strlen(hbuf)) < 0)
                goto closeident;

        /* get result */
        i = read(s, hbuf, sizeof hbuf);
        (void) close(s);

This is broken because it assumes that a single read() will pick up the
entire response.  Thus, if you use this your sendmail may well fail to
get the reply from the daemon, even if the daemon is non-hostile and
correctly functioning.  I've sent a note to sendmail () cs berkeley edu
about this; if you want to patch it in your copy, dropping this loop in
inline in place of the read() should do it:

         { int left;
           char *hbp;
           int n;
           hbp = &hbuf[0];
           left = sizeof(hbuf);
           while (1)
            { n = read(s,hbp,left);
              if (n < 0)
               { i = -1;
                 break;
               }
              if (n == 0)
               { i = hbp - &hbuf[0];
                 break;
               }
              hbp += n;
              left -= n;
            }
         }

It's true that sendmail will fail in the correct direction - discarding
valid information is better than believing trash - but still, throwing
away useful security traceback info because someone was too lazy to
write a proper loop to read from the net is pretty bogus.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu