Slashdot Mirror

← Back to Stories (view on slashdot.org)

Buffer Overflow in Sendmail

Posted by CmdrTaco on from the put-on-your-hardhat-and-rebuild dept.

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

24 of 478 comments (clear)

  1. "Email Different" by Anonymous Coward · · Score: 5, Funny


    That's why you should entrust all your email services to Hotmail.

    1. Re:"Email Different" by CausticWindow · · Score: 4, Funny

      You've got a point there.

      While not as flexible as mutt on a *nix server, at least Hotmail is basicly secure.

      --
      How small a thought it takes to fill a whole life
    2. Re:"Email Different" by buffer-overflowed · · Score: 4, Funny

      No, you should entrust all your email to me... I'm a nice guy really. I'm *never* responsible for remotely exploitable holes.

      --
      The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
  2. Yay! by Greyfox · · Score: 5, Funny

    I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Yay! by JFMulder · · Score: 2, Funny

      You should have the Windows one, you'd get even more free stuff.

  3. Re:*cough* by jrockway · · Score: 1, Funny

    Well, I don't use sendmail. I use postfix. So M$ and sendmail both suck, lol.

    --
    My other car is first.
  4. Re:Fix this at the language level? by interiot · · Score: 2, Funny

    Yes, in order to make sendmail even more convoluted, I recommend it be rewritten in perl. Or maybe javascript, that would work too.

  5. This is a really difficult one by heironymouscoward · · Score: 4, Funny

    A serious response to the story is too bleak. Ho-hum, upgrade sendmail, patch it, OK.

    Comedy is inappropriate. "Is that sendmail dead? No, it's just sleeping. Oh, I could swear it was dead! No, it's just tired, see? Sendmail gottan exploit, sendmail gottan exploit!"

    Irony is difficult. To be honest, I can't even be sure which ironic form I would employ in this case. Forget irony.

    Sarcasm? "Sendmail, yeah, like we're still using that dinosaur!" What, we are? Dang. Why? "Cause it was there?" What kind of an excuse is that?!

    Nihilism... "yes, another day, another exploit. ssh, now sendmail. I can just see the future, one long bitter trail of unpatched software, server after server to upgrade. brain the size of a planet, and here I am, patching sendmail. what's the use, I ask you...?"

    Slashdotisms? All your sendmail overlords are 1-2-3 profit to us? Imagine? In Russia? No, no, no.

    SCO! SCO! "It's not an exploit, it's a snippet!!!" Worth a try.

    Damn you to the deepest depths of hell, Slsadhot edirots, this story has so little karma leverage it hurts.

    --
    Ceci n'est pas une signature
  6. Re:Patch delivery mechanism by Anonymous Coward · · Score: 5, Funny

    > Does Linux have an Auto-update mechanism similar to
    > windows that indicates when new patches are available
    > for download?

    Yup. it's called "slashdot"

  7. Spam, spam, spam and spam by Serious+Simon · · Score: 2, Funny

    I experience daily buffer overflows receiving mail.

  8. Re:I use... by 1010011010 · · Score: 4, Funny


    If you can edit a .cf file by hand, you've earned the right to run it. :) And the punishment of running it.

    --
    Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
  9. I didn't realize Microsoft wrote sendmail! by Junks+Jerzey · · Score: 2, Funny

    But they must have, because there are no bugs in any software that runs under Linux. There never have been, and there never will be.

  10. Re:It's on the site now by buffer-overflowed · · Score: 2, Funny

    Lies, all lies, I'm not in sendmail, I don't even run sendmail. I run qmail.

    --
    The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
  11. Re:HUH? by athen66 · · Score: 2, Funny

    that's pretty sad if you think "a lot" and "allot" mean the same thing. go back to kindergarten.

  12. Re:Sendmail's future by Fizzlewhiff · · Score: 4, Funny

    I agree and am migrating to Exchange as I type this. Hopefully it, and Outlook will be more secure for my users.

    --

    'Same speed C but faster'
  13. You know... by Gay+Nigger · · Score: 2, Funny

    I feel like my week isn't complete without patching Sendmail at least once. Ahhh... return to normalcy. I feel better.

  14. Look I know by IWantMoreSpamPlease · · Score: 2, Funny

    that many in the Open Source Community are content to imitate Microsoft's latest offerings, but copy exploits is, in my opinion, going too far! ;-)

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.
  15. Re:OpenSSH as well by lone_marauder · · Score: 5, Funny

    What?? You don't trust software compiled by flying butt monkeys?

    --
    who are those slashdot people? they swept over like Mongol-Tartars.
  16. Re:Fix this at the language level? by spektr · · Score: 2, Funny

    I vote to have it written in Brainfuck (http://www.muppetlabs.com/~breadbox/bf). A simpler language makes a program easier to read, right?

    I wouldn't be surprised entirely if it turned out that sendmail was the first (and only) non-trivial program that could be expressed in brainfuck. I fact, I believe that sendmail.cf had been ported to brainfuck already.

  17. Wow by Black+Noise · · Score: 2, Funny
    Sendmail states this is potentially remotely exploitable
    Wow, sendmail must've come a long way since I last used it...
    Now tell me why not all software has this feature.
    --

    Cig? No, thank you.
  18. I suspect this story is fradulent by RLiegh · · Score: 2, Funny

    as I cannot believe that sendmail would have an exploit (remote or otherwise) given its' history.

  19. Re:Use qmail by Anonymous Coward · · Score: 3, Funny

    bernstein managed to suck out the brain of many people?

  20. Re:OpenSSH as well by Anonymous Coward · · Score: 1, Funny

    > What?? You don't trust software compiled by flying butt monkeys?

    Yes, I use Microsoft products all the time.

  21. Perpetual newpaper by perp · · Score: 2, Funny

    There was a Dilbert strip where Dogbert tried to sell Dilbert a "perpetual newspaper"; only a thousand dollars and you'll never need to buy another newspaper!

    The headlines were like "Pope Denounces Violence" and "Real Estate Values Rise" and "Unrest in the Middle East". I think that "Buffer Overflow Found in Sendmail" would have been a worthy addition to the Tech Pages.

    --
    There are two kinds of sysadmins: paranoids and losers. I'm both kinds.