Slashdot Mirror

← Back to Stories (view on slashdot.org)

Buffer Overflow in Sendmail

Posted by CmdrTaco on from the put-on-your-hardhat-and-rebuild dept.

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

8 of 478 comments (clear)

  1. Use qmail by DigitalNinja7 · · Score: 5, Informative

    That's why you should be using qmail, ya' code monkeys! Seems like this happens every couple months.

    --
    Show your love for the Hacker community
    HackerLogo.com
    1. Re:Use qmail by bongoras · · Score: 5, Informative

      PLEASE PLEASE PLEASE read the fucking article...

      from the release notes:

      "Fix a potential buffer overflow in ruleset parsing. This problem
      is not exploitable in the default sendmail configuration;
      only if non-standard rulesets recipient (2), final (4), or
      mailer-specific envelope recipients rulesets are used then
      a problem may occur. "

      http://www.sendmail.org/8.12.10.html

      While I agree it's necessary to patch systems, this is hardly like the Blaster worm. I'm going to go way out on a limb here and say that 99.99% of all sendmail installations in the world don't use these rulesets. And anyone who IS using them is likely to be a sendmail weenie anyhow and they'll just take a break from writing their AI Chess program in sendmail.cf and patch it themselves.

  2. "Email Different" by Anonymous Coward · · Score: 5, Funny


    That's why you should entrust all your email services to Hotmail.

  3. Yay! by Greyfox · · Score: 5, Funny

    I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. Re:Patch delivery mechanism by Anonymous Coward · · Score: 5, Funny

    > Does Linux have an Auto-update mechanism similar to
    > windows that indicates when new patches are available
    > for download?

    Yup. it's called "slashdot"

  5. Re:Patch delivery mechanism by mopslik · · Score: 5, Insightful

    ...you must give Microsoft credit. When an exploit is made public, they already have the patch ready.

    You mean when Microsoft publicly discloses the exploit, usually weeks after it was first reported across the Internet?

  6. Re:OpenSSH as well by lone_marauder · · Score: 5, Funny

    What?? You don't trust software compiled by flying butt monkeys?

    --
    who are those slashdot people? they swept over like Mongol-Tartars.
  7. This is getting silly by jd · · Score: 5, Informative
    Sendmail badly needs a severe audit. Maybe Stanford can run their validating compiler over it, or something. Either way, you shouldn't be seeing such basic, fundamental flaws in software that has been around for a long time.


    Especially software that is semi-commercial. They're getting paid to check for these issues, after all.


    Ok, credit given where credit is due. The problem has been recognised within a short time of being detected. That's better than Hotmail's "check the password? what for?" bug, that persisted for six or seven months, and remained in effect for several days after the media ran the story.


    But that's where the credit ends. It shows that the program isn't being routinely tested and verified with overflow detectors, or (if it is), that the testing procedure is inadequate.


    It shows why rival MTAs (eg: Postfix) are gaining popularity, when Sendmail could have kept absolute control of the market, merely by being the best.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)