Buffer Overflow in Sendmail

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Wednesday September 17, 2003 @06:10AM from the put-on-your-hardhat-and-rebuild dept.

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

3 of 478 comments (clear)

Min score:

Reason:

Sort:

Use qmail by DigitalNinja7 · 2003-09-17 06:10 · Score: 5, Informative

That's why you should be using qmail, ya' code monkeys! Seems like this happens every couple months.

--
Show your love for the Hacker community
HackerLogo.com
1. Re:Use qmail by bongoras · 2003-09-17 07:03 · Score: 5, Informative
  
  PLEASE PLEASE PLEASE read the fucking article...
  
  from the release notes:
  
  "Fix a potential buffer overflow in ruleset parsing. This problem
  is not exploitable in the default sendmail configuration;
  only if non-standard rulesets recipient (2), final (4), or
  mailer-specific envelope recipients rulesets are used then
  a problem may occur. "
  
  http://www.sendmail.org/8.12.10.html
  
  While I agree it's necessary to patch systems, this is hardly like the Blaster worm. I'm going to go way out on a limb here and say that 99.99% of all sendmail installations in the world don't use these rulesets. And anyone who IS using them is likely to be a sendmail weenie anyhow and they'll just take a break from writing their AI Chess program in sendmail.cf and patch it themselves.
This is getting silly by jd · 2003-09-17 06:57 · Score: 5, Informative

Sendmail badly needs a severe audit. Maybe Stanford can run their validating compiler over it, or something. Either way, you shouldn't be seeing such basic, fundamental flaws in software that has been around for a long time.

Especially software that is semi-commercial. They're getting paid to check for these issues, after all.

Ok, credit given where credit is due. The problem has been recognised within a short time of being detected. That's better than Hotmail's "check the password? what for?" bug, that persisted for six or seven months, and remained in effect for several days after the media ran the story.

But that's where the credit ends. It shows that the program isn't being routinely tested and verified with overflow detectors, or (if it is), that the testing procedure is inadequate.

It shows why rival MTAs (eg: Postfix) are gaining popularity, when Sendmail could have kept absolute control of the market, merely by being the best.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)