From owner-freebsd-bugs  Thu Nov 25  5:40: 4 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0EEFB14E0E
	for <freebsd-bugs@FreeBSD.org>; Thu, 25 Nov 1999 05:40:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id FAA58660;
	Thu, 25 Nov 1999 05:40:00 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 7850514E0F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Nov 1999 05:30:23 -0800 (PST)
	(envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA11993
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Nov 1999 05:30:22 -0800
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by point.osg.gov.bc.ca, id smtpda11991; Thu Nov 25 05:30:18 1999
Received: (from cy@localhost)
	by cwsys.cwsent.com (8.9.3/8.9.1) id FAA06829;
	Thu, 25 Nov 1999 05:30:16 -0800 (PST)
Message-Id: <199911251330.FAA06829@cwsys.cwsent.com>
Date: Thu, 25 Nov 1999 05:30:16 -0800 (PST)
From: Cy.Schubert@uumail.gov.bc.ca
Reply-To: Cy.Schubert@uumail.gov.bc.ca
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/15088: Sendmail 8.9.3 Patch
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         15088
>Category:       bin
>Synopsis:       Sendmail patch
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 25 05:40:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Cy Schubert
>Release:        FreeBSD 3.3-STABLE i386
>Organization:
ITSD Province of BC
>Environment:

FreeBSD cwsys 3.3-STABLE FreeBSD 3.3-STABLE #0: Wed Nov 24 18:59:43 PST 1999     root@:/opt2/cvs-330S/src/sys/compile/CWSYS  i386

>Description:

The following was posted on bugtraq:


Date: Mon, 22 Nov 1999 23:48:17 -0800
Reply-To: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
Subject: Re: Sendmail 8.x.x - any user may rebuild aliases database
X-To: Michal Zalewski <lcamtuf@IDS.PL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM, sendmail-bugs@sendmail.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9912122118210.4246-100000@nimue.ids.pl>
X-UIDL: d3d08b1a16cd01ca35681b18bae9ed46

-----BEGIN PGP SIGNED MESSAGE-----

lcamtuf> Sendmail up to recent 8.9.x versions - any user may pass -bi
lcamtuf> parameter to /usr/sbin/sendmail. This will result in aliases
lcamtuf> database rebuild. IMHO there's no reason to allow such things, but
lcamtuf> no matter - something rather stupid is done during rebuild:

lcamtuf> 5366  open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6

lcamtuf> What a bad luck! There's approx 0.1 sec delay due to /etc/aliases
lcamtuf> processing (on my system). Meantime, luser might deliver any
lcamtuf> signals to sendmail process... SIGKILL is quite good. After that,
lcamtuf> /etc/aliases.db will be left in unusable state (no EOF marker),
lcamtuf> causing DoS:

Thank you for bringing this to our attention.  We have limited the
newaliases command to root and trusted users for 8.10.0.Beta7.  We have
also deprecated the AutoRebuildAliases option since if set, a similar
attack may be possible.  We intend to remove the AutoRebuildAliases
functionality in a future version.

I've included a patch against sendmail 8.9.3 for those who want to protect
against this denial of service attack.

As always, we encourage mailing bug reports, including documentation or
release notes bugs, to sendmail-bugs@sendmail.org.  Security issues can be
mailed to sendmail-security@sendmail.org and encrypted with the
sendmail-security@sendmail.org PGP key:

Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x16F4CCE9 1999-06-23 ---------- RSA             Sign & Encrypt
uid  Sendmail Security <sendmail-security@sendmail.org>

The sendmail 8.9.3 patch:

--- main.c~orig	Sat Jan  9 15:31:13 1999
+++ main.c	Wed Nov 17 19:04:44 1999
@@ -984,6 +984,18 @@
 		usrerr("Permission denied");
 		finis(FALSE, EX_USAGE);
 	}
+	if (OpMode == MD_INITALIAS &&
+	    RealUid != 0 &&
+	    RealUid != TrustedUid &&
+	    !wordinclass(RealUserName, 't'))
+	{
+		if (LogLevel > 1)
+			sm_syslog(LOG_ALERT, NOQID,
+				  "user %d attempted to rebuild the alias map",
+				  RealUid);
+ 		usrerr("Permission denied");
+ 		finis(FALSE, EX_USAGE);
+ 	}

 	if (MeToo)
 		BlankEnvelope.e_flags |= EF_METOO;


>How-To-Repeat:

See description.

>Fix:
	
See patch posted by Gregory Shapiro of sendmail.org to BUGTRAQ
above.  It would be nice to have this committed before 3.4 is
released.

You may wish to remove the AutoRebuildAliases option too.

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message