Slashdot Mirror

← Back to Stories (view on slashdot.org)

Buffer Overflow in Sendmail

Posted by CmdrTaco on from the put-on-your-hardhat-and-rebuild dept.

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

6 of 478 comments (clear)

  1. Can you say... by grasshoppa · · Score: 0, Troll

    qmail?

    Look, someone had to say it, it might as well have been me.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  2. Sendmail, huh? by inertia187 · · Score: 0, Troll

    Should say: from the what-else-is-new dept. Umkay?

    --
    A programmer is a machine for converting coffee into code.
  3. Re:*cough* by metamatic · · Score: 0, Troll

    Another difference is that modern MTAs are written to deal with Internet e-mail specifically, whereas Sendmail has a generalized parser configurable to deal with pretty much any syntax you want--with all the horrendous complexity and potential for buffer overflows that implies.

    Plus sendmail rewrites headers even if it doesn't need to, which is just plain dumb and causes all kinds of problems.

    Debian, Gentoo and the like have already ditched sendmail. The only reason commercial distributions like RedHat keep it around is name recognition, I suspect.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  4. Re:*cough* by Wakko+Warner · · Score: 1, Troll

    Hey, I'm having a little trouble here remembering whose shitty code was responsible for the massive, Internet-slowing, computer-destroying, power-grid-decimating computer virus we all had to deal with last month. And then again two weeks later.

    Could you refresh me? Was it Microsoft, or sendmail?

    - A.P.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  5. Re:This is getting silly by TheAwfulTruth · · Score: 0, Troll

    This is yet more proof that Open Source != Automatically Secure. Nicely on the heels of the SSH hole too. It especially puts the lie to the "Many eyes on the code" reason given for the assumption that O.S. is more secure than closed source. In truth, no one (or as few as closed source) ever truly looks at, tests or audits any Open Source code other than maybe the kernel itself and possibly Apache. There is far too much of it out there and everyone is constantly working on the newest, latest, greatest thing. Who has time to go over everything? Who has the interest? Virtually no one. Should this be suprising? No, it should be expected.

    It's time to give up the hyperbole (In reality "Marketing Hype") and do some actual work on REAL security in the Linux world. We are easily as guilty of lax coding and testing skils as anything that we could say about Redmond. All this head-in-the-sand "Linux is secure" crap is going to bite us in the ass HARD. I hear people saying with alarming frequency that they don't need to use a firewall with Linux because they "know" that Linux is secure. It's frightening. Are these same people going to monitor and patch every single component of their OS? No, "It's secure". Saying Linux is secure is not the same thing as ensureing that it is secure.

    Time to stop talking and start doing, the "lie" cannot be propigated forever. By the time Linux becomes truly mainstream it COULD be secure if serious attention to the matter is started TODAY. Every time someone says "Linux is secure" or worse, the phrase "Linux is secure by (design|default)" it sets back the possiblility of it being TRUELY secure by another few days :(

    1) Stop claiming that Linux is immune to compromise (Even the half dishonest phrases using the words "virus" or "trojan" instead of "remote exploit". Publicly slap down any person making such a false claim.

    2) Improve the system greately, including code audit, hard testing, fixing the permissions system.

    3) PROVE than Linux is secure "By (design|default)", THEN start announcing the fact. But always realize that there is just one more exploit out there waiting to be found. Never claim that Linux is 100% anything, it's not and never will be (Nor will any OS ever be). Claiming otherwise just looks foolish.

    --
    Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
  6. Someone PLEASE Mod Parent DOWN! by ediron2 · · Score: 0, Troll
    Who the hell is moddin' this guy up? Man, where do I start?
    It shows why rival MTAs (eg: Postfix) are gaining popularity, when Sendmail could have kept absolute control of the market, merely by being the best.
    Sendmail could never ever ever have kept absolute control of the market merely by being the best. Anyone who has administered it pretty much wasn't able to moderate you back to trollsville for this remark because they fell off their chair choking or laughing at this point. Or, like me, they didn't have mod points today.

    Sendmail is incredibly:

    • powerful
    • arcane
    • complicated.

    By comparison, the others are a walk in the park. But they won't handle all the legacy or rewriting capability sometimes needed in large-sphere enterprise email. And many don't scale for shit. Exim for my laptop or home net, exchange for small turnkey shops, and know enough sendmail to survive...

    One of my favorite early usenet sigs went along the line of "Sendmail Administration is not black magic-- there are legitimate technical reasons why it requires the sacrificing of a live chicken." (I've googled for 5 mins and can't find exact quote or origin... .anyone?)

    Next, did you check the narrowness of this bug? It's a problem in a fairly uncommon non-default sendmail configuration only:

    Fixes a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration; only if non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients rulesets are used then a problem may occur. Problem noted by Timo Sirainen.
    But, it was found and promptly fixed. Slow news day or obscurity is the only reason it got posted here.

    Sendmail, arcane as it is, is the big bad voodoo daddy of mail. I use it, I fear it, and I deeply respect the sendmail development team. Feel free to check my posting history and you'll see I've never wasted keystrokes like this before. Fact is, you've just accomplished a mod-4 troll and I'd say bravo if it wasn't against this particular target.

    Now, on to StupidTrollTalkIndicators (to train the untrainable slashdot moderation mindset):

    • comparing sendmail to hotmail (one's a web app, if that helps you be a bit clueful).
    • ...getting paid to check for this stuff... yeah, that happens on a shoestring quasi-commercial basis: The boss has a money tree he uses to fund a team of fifteen to dig for bugs.
    • assuming that the bug is old. Sendmail adds about 40 minor tweaks and patches, expands for new circumstances and contracts when optimizations are found... and you think sendmail has always had this obscure little bug? Or that no new bugs are introduced when code is edited?
    • Ripping on sendmail for them being buggy and quasi-commercial. WTFDYGO having that high horse?! Name a commercial package that is 10% as complicated as parsing all sixty bizillion mail methodologies in use. Now show it is bugfree. You can't and won't.

    Ediron's Law: Good engineers make modules, not suites. Microsoft's greatest liability is omnibus code. I dislike that more than antitrust tactics. They refuse to modularize and we're screwed as a result. Sendmail, alas, isn't very modularizable: it still accepts goop from a mainframe that resorts to %-escaping to allow passthru to a legitimate mail relay, because that used to be (and may still be) needed somewhere.

    Troll troll troll troll troll. Even a 4-digit id. Sigh... Rob/Taco/etc, gimme the ability to spend my subscription money on mod points for numb-nutz responses like this and other techno-sounding wrongness. I'll start spending like mad! --