From owner-freebsd-security Thu Jan 23 04:12:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA16455 for security-outgoing; Thu, 23 Jan 1997 04:12:50 -0800 (PST) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA16446; Thu, 23 Jan 1997 04:12:45 -0800 (PST) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.3/8.6.9) id WAA29120; Thu, 23 Jan 1997 22:40:54 +1100 Date: Thu, 23 Jan 1997 22:40:54 +1100 From: Bruce Evans Message-Id: <199701231140.WAA29120@godzilla.zeta.org.au> To: angio@aros.net, eivind@dimaga.com Subject: Re: FWIW Cc: hackers@freebsd.org, mrcpu@cdsnet.net, security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >From owner-freebsd-hackers@freefall.freebsd.org Thu Jan 23 05:41:10 1997 >Received: from x.physics.usyd.edu.au (x.physics.usyd.edu.au [129.78.129.25]) by godzilla.zeta.org.au (8.8.3/8.6.9) with ESMTP id FAA26842 for ; Thu, 23 Jan 1997 05:36:19 +1100 >Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by x.physics.usyd.edu.au (8.8.2/8.8.2) with ESMTP id FAA11762; Thu, 23 Jan 1997 05:35:40 +1100 (EST) >Received: from localhost (daemon@localhost) > by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA16465; > Wed, 22 Jan 1997 09:48:15 -0800 (PST) >Received: (from root@localhost) > by freefall.freebsd.org (8.8.5/8.8.5) id JAA16363 > for hackers-outgoing; Wed, 22 Jan 1997 09:47:28 -0800 (PST) >Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) > by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA16314; > Wed, 22 Jan 1997 09:47:07 -0800 (PST) >Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id SAA08172; Wed, 22 Jan 1997 18:41:08 +0100 (MET) >Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id SAA17586; Wed, 22 Jan 1997 18:41:52 +0100 (MET) >Message-Id: <3.0.32.19970122184152.00b7eec0@dimaga.com> >X-Sender: eivind@dimaga.com >X-Mailer: Windows Eudora Pro Version 3.0 (32) >Date: Wed, 22 Jan 1997 18:41:54 +0100 >To: Dave Andersen >From: Eivind Eklund >Subject: Re: FWIW >Cc: Jaye Mathisen , hackers@FreeBSD.ORG, > security@FreeBSD.ORG >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >Sender: owner-hackers@FreeBSD.ORG >X-Loop: FreeBSD.org >Precedence: bulk >Status: RO > >At 09:33 AM 1/22/97 -0700, Dave Andersen wrote: >> >>> From: Eivind Eklund >>> >>> At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote: >>> > >>> > >>> >8.8.5 of sendmail is out, apparently fixing some nasty security bug in >>> >8.8.3 and 8.8.4. Since 8.8.4 is in the tree, we should upgrade ASAP. >>> >>> The security bug is reasonably minor; it is a question of not giving up >>> group rights in some cases. The problem has been present quite a while (if >>> it is the problem the description made it sound like), since 8.7.0 or >>> something. > >Well, this was what I was informed. If I'd read BugTraq before reading >freebsd-hackers, I would have known better. There is a MIME overflow bug - >which at least some lints (flexelint, for sure) would have caught. A patch >is included below. > >BTW: How do people feel about making FreeBSD (or at least the header files) >flexelint clean? I could do the actual work (starting in a few weeks, as >soon as I get my non-work machine home), but it would take a _LOT_ of >commits, involving mainly comment addition to suppress warnings. >(flexelint use control comments to suppress warnings). Real code changes >would only happen in those cases where bugs were uncovered. > >>> (Not that we shouldn't fix it, but I'm not too concerned about it. Since >>> you are concerned, perhaps you should upgrade the port? :) >> >> You should be. :) Sendmail 8.8.5 fixes a remotely exploitable buffer >>overflow that (you guessed it) can let an outsider have root access to >>your system. A local account is not required to take advantage of this >>hole. > >I don't have to - I'm running an older version with only the bugfixes from >newer versions, to avoid this kind of surprise. :) >(In addition my host is firewalled, recieving all mail by UUCP from another >secure host. Only DNS is available below 1024.) > >> (If you haven't upgraded to 8.8.5 yet, you should. Don't bother waiting >>for it to make it in to the tree. Sendmail 8.8.5 is available from >>ftp.sendmail.org and ftp.cert.org). > >Patch for the serious bug (which is there, right enough, in 8.8.4, and >probably 8.8.3): > >diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c >*** sendmail-8.8.4/src/mime.c Sun Nov 24 07:27:26 1996 >--- sendmail-8.8.5/src/mime.c Tue Jan 14 17:21:22 1997 >*************** >*** 36,42 **** > # include > > #ifndef lint >! static char sccsid[] = "@(#)mime.c 8.51 (Berkeley) 11/24/96"; > #endif /* not lint */ > > /* >--- 36,42 ---- > # include > > #ifndef lint >! static char sccsid[] = "@(#)mime.c 8.54 (Berkeley) 1/14/97"; > #endif /* not lint */ > > /* >*************** >*** 958,967 **** > register char *p; > char *cte; > char **pvp; >- u_char *obp; > u_char *fbufp; > char buf[MAXLINE]; >- u_char obuf[MAXLINE + 1]; > u_char fbuf[MAXLINE + 1]; > char pvpbuf[MAXLINE]; > extern u_char MimeTokenTab[256]; >--- 958,965 ---- >*************** >*** 1045,1053 **** > c2 = CHAR64(c2); > > *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); >! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || *--fbufp != '\r') > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >--- 1043,1052 ---- > c2 = CHAR64(c2); > > *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); >! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || >! (fbufp > fbuf && *--fbufp != '\r')) > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >*************** >*** 1057,1065 **** > continue; > c3 = CHAR64(c3); > *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); >! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || *--fbufp != '\r') > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >--- 1056,1065 ---- > continue; > c3 = CHAR64(c3); > *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); >! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || >! (fbufp > fbuf && *--fbufp != '\r')) > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >*************** >*** 1069,1103 **** > continue; > c4 = CHAR64(c4); > *fbufp = ((c3 & 0x03) << 6) | c4; >! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || *--fbufp != '\r') > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); > fbufp = fbuf; > } > } >- >- /* force out partial last line */ >- if (fbufp > fbuf) >- { >- *fbufp = '\0'; >- putline((char *) fbuf, mci); >- } > } > else > { > /* quoted-printable */ >! obp = obuf; > while (fgets(buf, sizeof buf, e->e_dfp) != NULL) > { >! if (mime_fromqp((u_char *) buf, &obp, 0, >&obuf[MAXLINE] - obp) == 0) > continue; > >! putline((char *) obuf, mci); >! obp = obuf; > } > } > if (tTd(43, 3)) > printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); >--- 1069,1105 ---- > continue; > c4 = CHAR64(c4); > *fbufp = ((c3 & 0x03) << 6) | c4; >! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || >! (fbufp > fbuf && *--fbufp != '\r')) > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); > fbufp = fbuf; > } > } > } > else > { > /* quoted-printable */ >! fbufp = fbuf; > while (fgets(buf, sizeof buf, e->e_dfp) != NULL) > { >! if (mime_fromqp((u_char *) buf, &fbufp, 0, >! &fbuf[MAXLINE] - fbufp) == 0) > continue; > >! putline((char *) fbuf, mci); >! fbufp = fbuf; > } >+ } >+ >+ /* force out partial last line */ >+ if (fbufp > fbuf) >+ { >+ *fbufp = '\0'; >+ putline((char *) fbuf, mci); > } > if (tTd(43, 3)) > printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); > > >Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ >