Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Jan 1997 22:40:54 +1100
From:      Bruce Evans <bde@zeta.org.au>
To:        angio@aros.net, eivind@dimaga.com
Cc:        hackers@freebsd.org, mrcpu@cdsnet.net, security@freebsd.org
Subject:   Re: FWIW
Message-ID:  <199701231140.WAA29120@godzilla.zeta.org.au>

next in thread | raw e-mail | index | archive | help
>From owner-freebsd-hackers@freefall.freebsd.org Thu Jan 23 05:41:10 1997
>Received: from x.physics.usyd.edu.au (x.physics.usyd.edu.au [129.78.129.25]) by godzilla.zeta.org.au (8.8.3/8.6.9) with ESMTP id FAA26842 for <bde@kralizec.zeta.org.au>; Thu, 23 Jan 1997 05:36:19 +1100
>Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by x.physics.usyd.edu.au (8.8.2/8.8.2) with ESMTP id FAA11762; Thu, 23 Jan 1997 05:35:40 +1100 (EST)
>Received: from localhost (daemon@localhost)
>          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA16465;
>          Wed, 22 Jan 1997 09:48:15 -0800 (PST)
>Received: (from root@localhost)
>          by freefall.freebsd.org (8.8.5/8.8.5) id JAA16363
>          for hackers-outgoing; Wed, 22 Jan 1997 09:47:28 -0800 (PST)
>Received: from nic.follonett.no (nic.follonett.no [194.198.43.10])
>          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA16314;
>          Wed, 22 Jan 1997 09:47:07 -0800 (PST)
>Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id SAA08172; Wed, 22 Jan 1997 18:41:08 +0100 (MET)
>Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id SAA17586; Wed, 22 Jan 1997 18:41:52 +0100 (MET)
>Message-Id: <3.0.32.19970122184152.00b7eec0@dimaga.com>
>X-Sender: eivind@dimaga.com
>X-Mailer: Windows Eudora Pro Version 3.0 (32)
>Date: Wed, 22 Jan 1997 18:41:54 +0100
>To: Dave Andersen <angio@aros.net>
>From: Eivind Eklund <eivind@dimaga.com>
>Subject: Re: FWIW 
>Cc: Jaye Mathisen <mrcpu@cdsnet.net>, hackers@FreeBSD.ORG,
>        security@FreeBSD.ORG
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>Sender: owner-hackers@FreeBSD.ORG
>X-Loop: FreeBSD.org
>Precedence: bulk
>Status: RO
>
>At 09:33 AM 1/22/97 -0700, Dave Andersen wrote:
>>
>>> From: Eivind Eklund <eivind@dimaga.com>
>>> 
>>> At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote:
>>> >
>>> >
>>> >8.8.5 of sendmail is out, apparently fixing some nasty security bug in
>>> >8.8.3 and 8.8.4.  Since 8.8.4 is in the tree, we should upgrade ASAP.
>>> 
>>> The security bug is reasonably minor; it is a question of not giving up
>>> group rights in some cases.  The problem has been present quite a while (if
>>> it is the problem the description made it sound like), since 8.7.0 or
>>> something.
>
>Well, this was what I was informed. If I'd read BugTraq before reading
>freebsd-hackers, I would have known better.  There is a MIME overflow bug -
>which at least some lints (flexelint, for sure) would have caught.  A patch
>is included below.
>
>BTW: How do people feel about making FreeBSD (or at least the header files)
>flexelint clean?  I could do the actual work (starting in a few weeks, as
>soon as I get my non-work machine home), but it would take a _LOT_ of
>commits, involving mainly comment addition to suppress warnings.
>(flexelint use control comments to suppress warnings).  Real code changes
>would only happen in those cases where bugs were uncovered.
>
>>> (Not that we shouldn't fix it, but I'm not too concerned about it.  Since
>>> you are concerned, perhaps you should upgrade the port? :)
>>
>>   You should be. :)  Sendmail 8.8.5 fixes a remotely exploitable buffer
>>overflow that (you guessed it) can let an outsider have root access to
>>your system.  A local account is not required to take advantage of this
>>hole.
>
>I don't have to - I'm running an older version with only the bugfixes from
>newer versions, to avoid this kind of surprise. :)
>(In addition my host is firewalled, recieving all mail by UUCP from another
>secure host.  Only DNS is available below 1024.)
>
>>  (If you haven't upgraded to 8.8.5 yet, you should.  Don't bother waiting
>>for it to make it in to the tree.  Sendmail 8.8.5 is available from
>>ftp.sendmail.org and ftp.cert.org).
>
>Patch for the serious bug (which is there, right enough, in 8.8.4, and
>probably 8.8.3):
>
>diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c
>*** sendmail-8.8.4/src/mime.c   Sun Nov 24 07:27:26 1996
>--- sendmail-8.8.5/src/mime.c   Tue Jan 14 17:21:22 1997
>***************
>*** 36,42 ****
>  # include <string.h>
>
>  #ifndef lint
>! static char sccsid[] = "@(#)mime.c    8.51 (Berkeley) 11/24/96";
>  #endif /* not lint */
>
>  /*
>--- 36,42 ----
>  # include <string.h>
>
>  #ifndef lint
>! static char sccsid[] = "@(#)mime.c    8.54 (Berkeley) 1/14/97";
>  #endif /* not lint */
>
>  /*
>***************
>*** 958,967 ****
>        register char *p;
>        char *cte;
>        char **pvp;
>-       u_char *obp;
>        u_char *fbufp;
>        char buf[MAXLINE];
>-       u_char obuf[MAXLINE + 1];
>        u_char fbuf[MAXLINE + 1];
>        char pvpbuf[MAXLINE];
>        extern u_char MimeTokenTab[256];
>--- 958,965 ----
>***************
>*** 1045,1053 ****
>                        c2 = CHAR64(c2);
>
>                        *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4);
>!                       if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
>                        {
>!                               if (*--fbufp != '\n' || *--fbufp != '\r')
>                                        fbufp++;
>                                *fbufp = '\0';
>                                putline((char *) fbuf, mci);
>--- 1043,1052 ----
>                        c2 = CHAR64(c2);
>
>                        *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4);
>!                       if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
>                        {
>!                               if (*--fbufp != '\n' ||
>!                                   (fbufp > fbuf && *--fbufp != '\r'))
>                                        fbufp++;
>                                *fbufp = '\0';
>                                putline((char *) fbuf, mci);
>***************
>*** 1057,1065 ****
>                                continue;
>                        c3 = CHAR64(c3);
>                        *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
>!                       if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
>                        {
>!                               if (*--fbufp != '\n' || *--fbufp != '\r')
>                                        fbufp++;
>                                *fbufp = '\0';
>                                putline((char *) fbuf, mci);
>--- 1056,1065 ----
>                                continue;
>                        c3 = CHAR64(c3);
>                        *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
>!                       if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
>                        {
>!                               if (*--fbufp != '\n' ||
>!                                   (fbufp > fbuf && *--fbufp != '\r'))
>                                        fbufp++;
>                                *fbufp = '\0';
>                                putline((char *) fbuf, mci);
>***************
>*** 1069,1103 ****
>                                continue;
>                        c4 = CHAR64(c4);
>                        *fbufp = ((c3 & 0x03) << 6) | c4;
>!                       if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
>                        {
>!                               if (*--fbufp != '\n' || *--fbufp != '\r')
>                                        fbufp++;
>                                *fbufp = '\0';
>                                putline((char *) fbuf, mci);
>                                fbufp = fbuf;
>                        }
>                }
>-
>-               /* force out partial last line */
>-               if (fbufp > fbuf)
>-               {
>-                       *fbufp = '\0';
>-                       putline((char *) fbuf, mci);
>-               }
>        }
>        else
>        {
>                /* quoted-printable */
>!               obp = obuf;
>                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
>                {
>!                       if (mime_fromqp((u_char *) buf, &obp, 0,
>&obuf[MAXLINE] - obp) == 0)
>                                continue;
>
>!                       putline((char *) obuf, mci);
>!                       obp = obuf;
>                }
>        }
>        if (tTd(43, 3))
>                printf("\t\t\tmime7to8 => %s to 8bit done\n", cte);
>--- 1069,1105 ----
>                                continue;
>                        c4 = CHAR64(c4);
>                        *fbufp = ((c3 & 0x03) << 6) | c4;
>!                       if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
>                        {
>!                               if (*--fbufp != '\n' ||
>!                                   (fbufp > fbuf && *--fbufp != '\r'))
>                                        fbufp++;
>                                *fbufp = '\0';
>                                putline((char *) fbuf, mci);
>                                fbufp = fbuf;
>                        }
>                }
>        }
>        else
>        {
>                /* quoted-printable */
>!               fbufp = fbuf;
>                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
>                {
>!                       if (mime_fromqp((u_char *) buf, &fbufp, 0,
>!                                       &fbuf[MAXLINE] - fbufp) == 0)
>                                continue;
>
>!                       putline((char *) fbuf, mci);
>!                       fbufp = fbuf;
>                }
>+       }
>+
>+       /* force out partial last line */
>+       if (fbufp > fbuf)
>+       {
>+               *fbufp = '\0';
>+               putline((char *) fbuf, mci);
>        }
>        if (tTd(43, 3))
>                printf("\t\t\tmime7to8 => %s to 8bit done\n", cte);
>
>
>Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701231140.WAA29120>