Security-Fix Sendmail 8.12.9 Released

← Back to Stories (view on slashdot.org)

Security-Fix Sendmail 8.12.9 Released

Posted by timothy on Saturday March 29, 2003 @09:21AM from the preemptive dept.

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

4 of 166 comments (clear)

Min score:

Reason:

Sort:

Sendmail.... by Chester+K · 2003-03-29 09:41 · Score: 4, Interesting

Sendmail: The IIS of Open Source.

This is the straw that breaks the camel's back. I'm changing to another MTA.

--

NO CARRIER
1. Re:Sendmail.... by dissy · 2003-03-29 10:43 · Score: 3, Interesting
  
  Perhaps I just dont know the undocumented tricks of those mail servers.
  
  If anyone could give me either detailed instructions on how to translate from sendmail to qmail/postfix configs, or a good website that explains this, I would be most grateful.
  
  Please do keep in mind my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup, and seeing most of the features i need not being listed, i didnt bother setting them up.
  I am not at all familiar with the config files used by either.
  
  I am also assuming in this post one IS familiar with sendmail.
  Where i simply say virtusertable, that would of course be /etc/mail/virtusertable.
  
  I use the short names assuming you know what i mean. In a reply, please use the long form when describing qmail/postfix, as i have no clue whats what :)
  
  My current setup uses sendmails virtusertable for all domains i handle.
  There is never an instance where mail sent to user@domain will just deliver to the account user, which is sendmails default method of delivery.
  Every domain i have in my cw file is in virtusertable.
  
  That said, the features I need are:
  
  Fall-through addresses
  
  in sendmails virtusertable if you add @domain.com
  if the email address doesnt match a specific entry in virtusertable for a domian, it will then deliver using that rule.
  
  Configurable bounce errors
  
  I have some addresses (and some domains fall-through address) have entrys as:
  @domain.com error:nouser No such user
  which returns the correct error code and the text message above.
  
  Delivery to a piped process
  
  in sendmails aliases file you can add an entry such as
  somealias: "|/path/to/an/app"
  and sendmail will execute that program passing the email to its stdin.
  
  Backup mail spooling
  
  Where the server accepts mail for a domain but doesnt attempt to deliver it locally, just forward to a mail server with a higher(lower) MX priority.
  
  Support 'list' forwards
  
  IE staff@domain.com -> account1, account2, outside@emailaddy.com
  Sendmail does this really ghetto by using both virtusertable and aliases, as only aliases can have multiple places of delivery, but virtusertable can send domain mail to an alias easily enough.
  
  Access controls for relaying
  
  I use IP addresses to control who can send mail out through the mailserver (Only machines in my IP space, as well as a couple friends statics are on the list)
  I would be interested in smtp-auth in the future but until I finished the server transistion I would want the functionality to remain as-is, and inform my users later for new and added features, preferably without having to say older features will no longer work.
  Doing without smtp-auth would also be fine with me.
  
  Domain mirroring
  
  In sendmails virtusertable, if you have say 3 domains that use the same mappings, you can do the following:
  
  user1@domain.com user1 ...
  user99@domain.com user99
  @domain.com error:nouser No such user
  
  @domain.NET %1@domain.com
  @domain.ORG %1@domain.com
  
  Then you only need to manage one list (for com) and if you sent mail to user1@domain.org it would rewrite it as user1@domain.com
  
  Also for local delivery, the mailer would need to work with procmail.
  Im sure qmail and postfix both do, so that shouldnt be a problem. Just wanted to mention it incase..
  
  If qmail/postfix really can do everything above, then i stand corrected, but would ask either for a source of good documentation, or just an explnation on each point for how to do it the qmail/postfix way.
  
  Thanks
Is Sendmail still worth it? by mnmn · 2003-03-29 09:46 · Score: 5, Interesting

I fought with the M4 format of sendmail.cfg for a while in setting up a complex system before switching to qmail. Ive tried postfix too, but I still see diehard sendmailers around.

For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

Secondly these security problems.

So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?

And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?

--
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Re:Advisories, more like invatations to exploit by grokBoy · 2003-03-29 11:03 · Score: 3, Interesting

Well, the Full-Disclosure list that I am involved with was one of the ones that received the premature announcement, but I'm sure you'll agree that even with the follow-up it was far from anything that provided a remote exploit. The tone of the thread seemed to indicate that there was already interest in this 'in the wild' before it was disclosed to the lists in question, in any case. Kudos to the Sendmail team for getting the fix out so promptly.