From owner-freebsd-security Wed Jan 22 09:47:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA16348 for security-outgoing; Wed, 22 Jan 1997 09:47:25 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA16314; Wed, 22 Jan 1997 09:47:07 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id SAA08172; Wed, 22 Jan 1997 18:41:08 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id SAA17586; Wed, 22 Jan 1997 18:41:52 +0100 (MET) Message-Id: <3.0.32.19970122184152.00b7eec0@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 22 Jan 1997 18:41:54 +0100 To: Dave Andersen From: Eivind Eklund Subject: Re: FWIW Cc: Jaye Mathisen , hackers@freebsd.org, security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 09:33 AM 1/22/97 -0700, Dave Andersen wrote: > >> From: Eivind Eklund >> >> At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote: >> > >> > >> >8.8.5 of sendmail is out, apparently fixing some nasty security bug in >> >8.8.3 and 8.8.4. Since 8.8.4 is in the tree, we should upgrade ASAP. >> >> The security bug is reasonably minor; it is a question of not giving up >> group rights in some cases. The problem has been present quite a while (if >> it is the problem the description made it sound like), since 8.7.0 or >> something. Well, this was what I was informed. If I'd read BugTraq before reading freebsd-hackers, I would have known better. There is a MIME overflow bug - which at least some lints (flexelint, for sure) would have caught. A patch is included below. BTW: How do people feel about making FreeBSD (or at least the header files) flexelint clean? I could do the actual work (starting in a few weeks, as soon as I get my non-work machine home), but it would take a _LOT_ of commits, involving mainly comment addition to suppress warnings. (flexelint use control comments to suppress warnings). Real code changes would only happen in those cases where bugs were uncovered. >> (Not that we shouldn't fix it, but I'm not too concerned about it. Since >> you are concerned, perhaps you should upgrade the port? :) > > You should be. :) Sendmail 8.8.5 fixes a remotely exploitable buffer >overflow that (you guessed it) can let an outsider have root access to >your system. A local account is not required to take advantage of this >hole. I don't have to - I'm running an older version with only the bugfixes from newer versions, to avoid this kind of surprise. :) (In addition my host is firewalled, recieving all mail by UUCP from another secure host. Only DNS is available below 1024.) > (If you haven't upgraded to 8.8.5 yet, you should. Don't bother waiting >for it to make it in to the tree. Sendmail 8.8.5 is available from >ftp.sendmail.org and ftp.cert.org). Patch for the serious bug (which is there, right enough, in 8.8.4, and probably 8.8.3): diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c *** sendmail-8.8.4/src/mime.c Sun Nov 24 07:27:26 1996 --- sendmail-8.8.5/src/mime.c Tue Jan 14 17:21:22 1997 *************** *** 36,42 **** # include #ifndef lint ! static char sccsid[] = "@(#)mime.c 8.51 (Berkeley) 11/24/96"; #endif /* not lint */ /* --- 36,42 ---- # include #ifndef lint ! static char sccsid[] = "@(#)mime.c 8.54 (Berkeley) 1/14/97"; #endif /* not lint */ /* *************** *** 958,967 **** register char *p; char *cte; char **pvp; - u_char *obp; u_char *fbufp; char buf[MAXLINE]; - u_char obuf[MAXLINE + 1]; u_char fbuf[MAXLINE + 1]; char pvpbuf[MAXLINE]; extern u_char MimeTokenTab[256]; --- 958,965 ---- *************** *** 1045,1053 **** c2 = CHAR64(c2); *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); ! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || *--fbufp != '\r') fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); --- 1043,1052 ---- c2 = CHAR64(c2); *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); ! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || ! (fbufp > fbuf && *--fbufp != '\r')) fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); *************** *** 1057,1065 **** continue; c3 = CHAR64(c3); *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); ! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || *--fbufp != '\r') fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); --- 1056,1065 ---- continue; c3 = CHAR64(c3); *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); ! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || ! (fbufp > fbuf && *--fbufp != '\r')) fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); *************** *** 1069,1103 **** continue; c4 = CHAR64(c4); *fbufp = ((c3 & 0x03) << 6) | c4; ! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || *--fbufp != '\r') fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); fbufp = fbuf; } } - - /* force out partial last line */ - if (fbufp > fbuf) - { - *fbufp = '\0'; - putline((char *) fbuf, mci); - } } else { /* quoted-printable */ ! obp = obuf; while (fgets(buf, sizeof buf, e->e_dfp) != NULL) { ! if (mime_fromqp((u_char *) buf, &obp, 0, &obuf[MAXLINE] - obp) == 0) continue; ! putline((char *) obuf, mci); ! obp = obuf; } } if (tTd(43, 3)) printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); --- 1069,1105 ---- continue; c4 = CHAR64(c4); *fbufp = ((c3 & 0x03) << 6) | c4; ! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || ! (fbufp > fbuf && *--fbufp != '\r')) fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); fbufp = fbuf; } } } else { /* quoted-printable */ ! fbufp = fbuf; while (fgets(buf, sizeof buf, e->e_dfp) != NULL) { ! if (mime_fromqp((u_char *) buf, &fbufp, 0, ! &fbuf[MAXLINE] - fbufp) == 0) continue; ! putline((char *) fbuf, mci); ! fbufp = fbuf; } + } + + /* force out partial last line */ + if (fbufp > fbuf) + { + *fbufp = '\0'; + putline((char *) fbuf, mci); } if (tTd(43, 3)) printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/