Re: sendmail 8.12.8 available

[Neil W Rickert <rickert+bt () cs niu edu>]

"Mordechai T. Abzug" <morty () frakir org> wrote:

> Question: are the header and ident issues *only* remote overflow
> problems, or is this also a local vulnerability?  Ie. if one has a
> system that doesn't run sendmail in daemon mode (-bd), but does make
> sendmail available as an SUID root binary for submission to the local
> smarthost and does run sendmail is queue-process mode (ie. -q15m), is
> the system still vulnerable?  Given that the problem is in the header
> parsing, I would expect this to be both a remote and a local problem,
> but I'd like to make sure before doing lots of upgrades.

I don't think there has been a comment on this yet.

Sendmail will only use "ident" when receiving mail on a network
connection.  There is no local exploit available there if sendmail is
not listening on the net.  Possibly a local user could invoke
"sendmail -bs" with stdin/stdout assigned to a connected socket.  In
that case there might be an ident call.

For the header problem, any buffer overflow would occur while sending
the message, not while receiving it.  Whether the message originated
locally or over the network will matter.  Thus there is a potential
problem for local exploits with an SUID sendmail binary.

In particular, if you have old sendmail binaries left around that you
haven't deleted, you should at least turn off any SUID and SGID
privileges.  Incidently that's a good practice for old disused
versions of any program.

 -NWR