Bugtraq mailing list archives
sendmail 8.8.6 Beta release available
From: jason () MASTALER COM (Jason R Mastaler)
Date: Sun, 11 May 1997 23:36:57 -0400
-----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii FTP://ftp.sendmail.org/pub/sendmail/.beta/sendmail.8.8.6.Beta3.tar.gz MD5(sendmail.8.8.6.Beta3.tar.gz) = 1dda14acda58b1cd952f6fcd1c267f1e A Beta release of sendmail 8.8.6 is available for public FTP. Although you cannot read the /pub/sendmail/.beta directory, you should be able to get the file. There is also a sendmail.8.8.6.Beta3.tar.sig file in that directory; that PGP signature uses a new Sendmail distribution key that will be used for releases in the future. The key is named "Sendmail Signing Key/1997 <sendmail () Sendmail ORG>" and has fingerprint CA AE F2 94 3B 1D 41 3C 94 7B 72 5F AE 0B 6A 11. It is signed by me and by several other members of the sendmail community. Although the RELEASE_NOTES file lists several "security" fixes, note that most of these are to handle pretty obscure cases (e.g., sites that have alias databases in world writable directories). There is one nasty DoS attack if you use long term host status, and a problem if you use the RunAsUser option with numeric values. I'm going to be unavailable for a while, so any critical patches will be released (and signed using the Sendmail Signing Key) by Gregory Neil Shapiro, who has graciously offered to keep an eye on things in my absence. If you have any problems, please send mail to sendmail-bugs () Sendmail ORG (not to me). The intent is to release sendmail 8.8.6 in early June. The relevant section of RELEASE_NOTES is included. eric 8.8.6/8.8.6 97/05/XXX ************************************************************* * The extensive assistance of Gregory Neil Shapiro of WPI * * in preparing this release is gratefully appreciated. * * Sun Microsystems has also provided resources toward * * continued sendmail development. * ************************************************************* SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open mode bits set to create a file that is a symbolic link that points nowhere. This makes it possible to create a root owned file in an arbitrary directory by inserting the symlink into a writable directory after the initial lstat(2) check determined that the file did not exist. The only verified example of a system having these odd semantics for O_EXCL and symbolic links was HP-UX prior to version 9.07. Most systems do not have the problem, since a exclusive create of a file disallows symbolic links. Systems that have been verified to NOT have the problem include AIX 3.x, *BSD, DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris, and Ultrix. This is a potential exposure on systems that have this bug and which do not have a MAILER-DAEMON alias pointing at a legitimate account, since this will cause old mail to be dropped in /var/tmp/dead.letter. SECURITY: Problems can occur on poorly managed systems, specifically, if maps or alias files are in world writable directories. If your system has alias maps in writable directories, it is potentially possible for an attacker to replace the .db (or .dir and .pag) files by symbolic links pointing at another database; this can be used either to expose information (e.g., by pointing an alias file at /etc/spwd.db and probing for accounts), or as a denial-of-service attack (by trashing the password database). The fix disallows symbolic links entirely when rebuilding alias files or on maps that are in writable directories, and always warns on writable directories; 8.9 will probably consider writable directories to be fatal errors. This does not represent an exposure on systems that have alias files in unwritable system directories. SECURITY: disallow .forward or :include: files that are links (hard or soft) if the parent directory (or any directory in the path) is writable by anyone other than the owner. This is similar to the previous case for user files. This change should not affect most systems, but is necessary to prevent an attacker who can write the directory from pointing such files at other files that are readable only by the owner. SECURITY: Tighten safechown rules: many systems will say that they have a safe (restricted to root) chown even on files that are mounted from another system that allows owners to give away files. The new rules are very strict, trusting file ownership only in those few cases where the system has been verified to be at least as paranoid as necessary. However, it is possible to relax the rules to partially trust the ownership if the directory path is not world or group writable. This might allow someone who has a legitimate :include: file (referenced directly from /etc/aliases) to become another non-root user if the :include: file is in a non-writable directory on an NFS-mounted filesystem where the local system says that giveaway is denied but it is actually permitted. I believe this to be a very small set of cases. If in doubt, do not point :include: aliases at NFS-mounted filesystems. SECURITY: When setting a numeric group id using the RunAsUser option (e.g., "O RunAsUser=10:20", the group id would not be set. Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine. The user id was still set properly. Problem noted by Uli Pralle of the Technical University of Berlin. Save the initial gid set for use when checking for if the PrivacyOptions=restrictmailq option is set. Problem reported by Wolfgang Ley of DFN-CERT. Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a failure on one message won't affect future messages to the same host). IP source route printing had an "off by one" error that would affect any options that came after the route option. Patch from Theo de Raadt. The "Message is too large" error didn't successfully bounce the error back to the sender. Problem reported by Stephen More of PSI; patch from Gregory Neil Shapiro of WPI. Change SMTP status code 553 to map into Extended code 5.1.0 (instead of 5.1.3); it apparently gets used in multiple ways. Suggested by John Myers of Portola Communications. Fix possible extra null byte generated during collection if errors occur at the beginning of the stream. Patch contributed by Andrey A. Chernov and Gregory Neil Shapiro. Code changes to avoid possible reentrant call of malloc/free within a signal handler. Problem noted by John Beck of Sun Microsystems. Move map initialization to be earlier so that check_relay ruleset will have the latest version of the map data. Problem noted by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro. If there are fatal errors during the collection phase (e.g., message too large) don't send the bogus message. Avoid "cannot open xfAAA00000" messages when sending to aliases that have errors and have owner- aliases. Problem noted by Michael Barber of MTU; fix from Gregory Neil Shapiro of WPI. Avoid null pointer dereference on illegal Boundary= parameters in multipart/mixed Content-Type: header. Problem noted by Richard Muirden of RMIT University. Always print error messages during newaliases (-bi) even if the ErrorMode is not set to "print". Fix from Gregory Neil Shapiro. Test mode could core dump if you did a /map lookup in an optional map that could not be opened. Based on a fix from John Beck of Sun Microsystems. If DNS is misconfigured so that the last MX record tried points to a host that does not have an A record, but other MX records pointed to something reasonable, don't bounce the message with a "host unknown" error. Note that this should really be fixed in the zone file for the domain. Problem noted by Joe Rhett of Navigist, Inc. If a map fails (e.g., DNS times out) on all recipient addresses, mark the message as having been tried; otherwise the next queue run will not realize that this is a second attempt and will retry immediately. Problem noted by Bryan Costales of Mercury Mail. If the clock is set backwards, and a MinQueueAge is set, no jobs will be run until the later setting of the clock is reached. "Problem" (I use the term loosely) noted by Eric Hagberg of Morgan Stanley. If the load average rises above the cutoff threshold (above which sendmail will not process the queue at all) during a queue run, abort the queue run immediately. Problem noted by Bryan Costales of Mercury Mail. The variable queue processing algorithm (based on the message size, number of recipients, message precedence, and job age) was non-functional -- either the entire queue was processed or none of the queue was processed. The updated algorithm does no queue run if a single recipient zero size job will not be run. If there is a fatal ("panic") message that will cause sendmail to die immediately, never hold the error message for future printing. Force ErrorMode=print in -bt mode so that all errors are printed regardless of the setting of the ErrorMode option in the configuration file. Patch from Gregory Neil Shapiro. New compile flag HASSTRERROR says that this OS has the strerror(3) routine available in one of the libraries. Use it in conf.h. The -m (match only) flag now works on host class maps. If class hash or btree maps are rebuilt, sendmail will now detect this and reopen the map. Previously, they could give erroneous results during a single message processing (but would recover when the next message was received). Don't delete zero length queue files when doing queue runs until the files are at least ten minutes old. This avoids a potential race condition: the creator creates the qf file, getting back a file descriptor. The queue runner locks it and deletes it because it is zero length. The creator then writes the descriptor that is now for a disconnected file, and the job goes away. Based on a suggestion by Bryan Costales. When determining the "validated" host name ($_ macro), do a forward (A) DNS lookup on the result of the PTR lookup and compare results. If they differ or if the PTR lookup fails, tag the address as "may be forged". Log null connections (i.e., hosts that connect but do not do any substantive activity on the connection before disconnecting; "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN. Always permit "writes" to /dev/null regardless of the link count. This is safe because /dev/null is special cased, and no open or write is ever actually attempted. Patch from Villy Kruse of TwinCom. If a message cannot be sent because of a 552 (exceeded storage allocation) response to the MAIL FROM:<>, and a SIZE= parameter was given, don't return the body in the bounce, since there is a very good chance that the message will double-bounce. Fix possible line truncation if a quoted-printable had an =00 escape in the body. Problem noted by Charles Karney of the Princeton Plasma Physics Laboratory. Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. The MaxDaemonChildren option wasn't applying to queue runs as documented. Note that this increases the potential denial of service problems with this option: an attacker can connect many times, and thereby lock out queue runs as well as incoming connections. If you use this option, you should run the "sendmail -bd" and "sendmail -q30m" jobs separately to avoid this attack. Failure to limit noted by Matthew Dillon of BEST Internet Communications. Always give a message in newaliases if alias files cannot be opened instead of failing silently. Suggested by Gregory Neil Shapiro. This change makes the code match the O'Reilly book (2nd edition). Portability: A/UX: from Jim Jagielski of NASA/GSFC. glibc: SOCK_STREAM was changed from a #define to an enum, thus breaking #ifdef SOCK_STREAM. Only option seems to be to assume SOCK_STREAM if __GNU_LIBRARY__ is defined. Problem reported by A Sun of the University of Washington. Solaris: use SIOCGIFNUM to get the number of interfaces on the system rather than guessing at compile time. Patch contributed by John Beck of Sun Microsystems. Intel Paragon: from Wendy Lin of Purdue University. GNU Hurd: from Miles Bader of the GNU project. RISC/os 4.50 from Harlan Stenn of PFCS Corporation. ISC Unix: wait never returns if SIGCLD signals are blocked. Unfortunately releasing them opens a race condition, but there appears to be no fix for this. Patch from Gregory Neil Shapiro. BIND 8.1 for IPv6 compatibility from John Kennedy. Solaris: a bug in strcasecmp caused characters with the high order bit set to apparently randomly match letters -- for example, $| (0233) matches "i" and "I". Problem noted by John Gregson of the University of Cambridge. IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From Kari Hurtta. CONFIG: Some canonification was still done for UUCP-like addresses even if FEATURE(nocanonify) was set. Problem pointed out by Brian Candler. CONFIG: In some cases UUCP mailers wouldn't properly recognize all local names as local. Problem noted by Jeff Polk of BSDI; fix provided by Gregory Neil Shapiro. CONFIG: The "local:user" syntax entries in mailertables and other "mailer:user" syntax locations returned an incorrect value for the $h macro. Problem noted by Gregory Neil Shapiro. CONFIG: Retain "+detail" information when forwarding mail to a MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip Guenther of Gustavus Adolphus College. CONFIG: Make sure user+detail works for FEATURE(virtusertable); rules are the same as for aliasing. Based on a patch from Gregory Neil Shapiro. CONFIG: Break up parsing rules into several pieces; this should have no functional change in this release, but makes it possible to have better anti-spam rulesets in the future. CONFIG: Disallow double dots in host names to avoid having the HostStatusDirectory store status under the wrong name. In some cases this can be used as a denial-of-service attack. Problem noted by Ron Jarrell of Virginia Tech, patch from Gregory Neil Shapiro. CONFIG: Don't use F=m (multiple recipients per invocation) for MAILER(procmail), but do pass F=Pn9 (include Return-Path:, don't include From_, and convert to 8-bit). Suggestions from Kimmo Suominen and Roderick Schertler. CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where being masqueraded as though FEATURE(masquerade_entire_domain) was specified, even when it wasn't. MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft. MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't "slip in" a symbolic link between the lstat(2) call and the exclusive open. This is only a problem on System V derived systems that allow an exclusive create on files that are symbolic links pointing nowhere. MAIL.LOCAL: If the final mailbox close() failed, the user id was not reset back to root, which on some systems would cause later mailboxes to fail. Also, any partial message would not be truncated, which could result in repeated deliveries. Problem noted by Bruce Evans via Peter Wemm (FreeBSD developers). MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar change to the sendmail map code was made in 8.8.3. Problem noted by Gregory Neil Shapiro. MAKEMAP: Give warnings on file problems such as map files that are symbolic links; although makemap is not setuid root, it is often run as root and hence has the potential for the same sorts of problems as alias rebuilds. CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf. Accept an optional list of arguments following the server name for the ETRN arguments to use (instead of $=w). Other miscellaneous bug fixes. From Christian von Roques via John Beck of Sun Microsystems. CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This Perl script converts GECOS information in the /etc/passwd file into aliases, allowing for faster access to full name lookups; it is also clever about adding aliases (to root) for system accounts. NEW FILES: src/safefile.c cf/ostype/gnuhurd.m4 cf/ostype/irix6.m4 contrib/passwd-to-alias.pl test/t_exclopen.c RENAMED FILES: src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM3XPFSPkYtS/e6QhAQHVaQP+PWPhLeEjGu3UYGl880ZrH6hrraOvj4if OTGXlpBy3qP53+XvOWjIVywTuLEENOL5lEMAdXq+uD3hzKZoZ3914lUE8BGB0alE D0SjSdcn0hDcDcARRbPchkVYsGX9zXDoCC4Qpp2zRCCm+Chng8UQ4uUk31IPfaHn hkFHvUsx25s= =omkX -----END PGP SIGNATURE-----
Current thread:
- Linux UID/GID 'Feature' David Phillips (May 10)
- Re: Linux UID/GID 'Feature' Steve \ (May 11)
- Re: Linux UID/GID 'Feature' Ariel Biener (May 11)
- Yet another WinNuke page. Nobody (May 11)
- Re: Linux UID/GID 'Feature' Jim Trocki (May 11)
- Re: Linux UID/GID 'Feature' Jon Lewis (May 11)
- more DoS fun Ghent (May 11)
- Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
- sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- UPDATE TO OOB FIX Aaron Weintraub (May 12)
- Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
- UPDATE TO OOB FIX Wojciech Swieboda (May 13)
- Re: ELM overflow security () home bti pl (May 14)
- Re: ELM overflow Michel GAUDET (May 16)
- potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
- Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
- Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
- Non-executable stack -- final Linux kernel patch Solar Designer (May 14)