Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Jan 1997 18:41:54 +0100
From:      Eivind Eklund <eivind@dimaga.com>
To:        Dave Andersen <angio@aros.net>
Cc:        Jaye Mathisen <mrcpu@cdsnet.net>, hackers@freebsd.org, security@freebsd.org
Subject:   Re: FWIW 
Message-ID:  <3.0.32.19970122184152.00b7eec0@dimaga.com>

next in thread | raw e-mail | index | archive | help
At 09:33 AM 1/22/97 -0700, Dave Andersen wrote:
>
>> From: Eivind Eklund <eivind@dimaga.com>
>> 
>> At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote:
>> >
>> >
>> >8.8.5 of sendmail is out, apparently fixing some nasty security bug in
>> >8.8.3 and 8.8.4.  Since 8.8.4 is in the tree, we should upgrade ASAP.
>> 
>> The security bug is reasonably minor; it is a question of not giving up
>> group rights in some cases.  The problem has been present quite a while (if
>> it is the problem the description made it sound like), since 8.7.0 or
>> something.

Well, this was what I was informed. If I'd read BugTraq before reading
freebsd-hackers, I would have known better.  There is a MIME overflow bug -
which at least some lints (flexelint, for sure) would have caught.  A patch
is included below.

BTW: How do people feel about making FreeBSD (or at least the header files)
flexelint clean?  I could do the actual work (starting in a few weeks, as
soon as I get my non-work machine home), but it would take a _LOT_ of
commits, involving mainly comment addition to suppress warnings.
(flexelint use control comments to suppress warnings).  Real code changes
would only happen in those cases where bugs were uncovered.

>> (Not that we shouldn't fix it, but I'm not too concerned about it.  Since
>> you are concerned, perhaps you should upgrade the port? :)
>
>   You should be. :)  Sendmail 8.8.5 fixes a remotely exploitable buffer
>overflow that (you guessed it) can let an outsider have root access to
>your system.  A local account is not required to take advantage of this
>hole.

I don't have to - I'm running an older version with only the bugfixes from
newer versions, to avoid this kind of surprise. :)
(In addition my host is firewalled, recieving all mail by UUCP from another
secure host.  Only DNS is available below 1024.)

>  (If you haven't upgraded to 8.8.5 yet, you should.  Don't bother waiting
>for it to make it in to the tree.  Sendmail 8.8.5 is available from
>ftp.sendmail.org and ftp.cert.org).

Patch for the serious bug (which is there, right enough, in 8.8.4, and
probably 8.8.3):

diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c
*** sendmail-8.8.4/src/mime.c   Sun Nov 24 07:27:26 1996
--- sendmail-8.8.5/src/mime.c   Tue Jan 14 17:21:22 1997
***************
*** 36,42 ****
  # include <string.h>

  #ifndef lint
! static char sccsid[] = "@(#)mime.c    8.51 (Berkeley) 11/24/96";
  #endif /* not lint */

  /*
--- 36,42 ----
  # include <string.h>

  #ifndef lint
! static char sccsid[] = "@(#)mime.c    8.54 (Berkeley) 1/14/97";
  #endif /* not lint */

  /*
***************
*** 958,967 ****
        register char *p;
        char *cte;
        char **pvp;
-       u_char *obp;
        u_char *fbufp;
        char buf[MAXLINE];
-       u_char obuf[MAXLINE + 1];
        u_char fbuf[MAXLINE + 1];
        char pvpbuf[MAXLINE];
        extern u_char MimeTokenTab[256];
--- 958,965 ----
***************
*** 1045,1053 ****
                        c2 = CHAR64(c2);

                        *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4);
!                       if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
                        {
!                               if (*--fbufp != '\n' || *--fbufp != '\r')
                                        fbufp++;
                                *fbufp = '\0';
                                putline((char *) fbuf, mci);
--- 1043,1052 ----
                        c2 = CHAR64(c2);

                        *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4);
!                       if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
                        {
!                               if (*--fbufp != '\n' ||
!                                   (fbufp > fbuf && *--fbufp != '\r'))
                                        fbufp++;
                                *fbufp = '\0';
                                putline((char *) fbuf, mci);
***************
*** 1057,1065 ****
                                continue;
                        c3 = CHAR64(c3);
                        *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
!                       if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
                        {
!                               if (*--fbufp != '\n' || *--fbufp != '\r')
                                        fbufp++;
                                *fbufp = '\0';
                                putline((char *) fbuf, mci);
--- 1056,1065 ----
                                continue;
                        c3 = CHAR64(c3);
                        *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
!                       if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
                        {
!                               if (*--fbufp != '\n' ||
!                                   (fbufp > fbuf && *--fbufp != '\r'))
                                        fbufp++;
                                *fbufp = '\0';
                                putline((char *) fbuf, mci);
***************
*** 1069,1103 ****
                                continue;
                        c4 = CHAR64(c4);
                        *fbufp = ((c3 & 0x03) << 6) | c4;
!                       if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
                        {
!                               if (*--fbufp != '\n' || *--fbufp != '\r')
                                        fbufp++;
                                *fbufp = '\0';
                                putline((char *) fbuf, mci);
                                fbufp = fbuf;
                        }
                }
-
-               /* force out partial last line */
-               if (fbufp > fbuf)
-               {
-                       *fbufp = '\0';
-                       putline((char *) fbuf, mci);
-               }
        }
        else
        {
                /* quoted-printable */
!               obp = obuf;
                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
                {
!                       if (mime_fromqp((u_char *) buf, &obp, 0,
&obuf[MAXLINE] - obp) == 0)
                                continue;

!                       putline((char *) obuf, mci);
!                       obp = obuf;
                }
        }
        if (tTd(43, 3))
                printf("\t\t\tmime7to8 => %s to 8bit done\n", cte);
--- 1069,1105 ----
                                continue;
                        c4 = CHAR64(c4);
                        *fbufp = ((c3 & 0x03) << 6) | c4;
!                       if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
                        {
!                               if (*--fbufp != '\n' ||
!                                   (fbufp > fbuf && *--fbufp != '\r'))
                                        fbufp++;
                                *fbufp = '\0';
                                putline((char *) fbuf, mci);
                                fbufp = fbuf;
                        }
                }
        }
        else
        {
                /* quoted-printable */
!               fbufp = fbuf;
                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
                {
!                       if (mime_fromqp((u_char *) buf, &fbufp, 0,
!                                       &fbuf[MAXLINE] - fbufp) == 0)
                                continue;

!                       putline((char *) fbuf, mci);
!                       fbufp = fbuf;
                }
+       }
+
+       /* force out partial last line */
+       if (fbufp > fbuf)
+       {
+               *fbufp = '\0';
+               putline((char *) fbuf, mci);
        }
        if (tTd(43, 3))
                printf("\t\t\tmime7to8 => %s to 8bit done\n", cte);


Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970122184152.00b7eec0>