-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2001-017 ================================= Topic: sendmail(8) incorrect command line argument check leads to local root privilege compromise Version: NetBSD-current: source prior to August 22, 2001 NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4 branch: not-affected pkgsrc: sendmail prior to 8.11.6 Severity: Local root compromise Fixed: NetBSD-current: August 21, 2001 NetBSD-1.5 branch: August 22, 2001 pkgsrc: sendmail-8.11.6 Abstract ======== The following text is from sendmail 8.11.6 release note: SECURITY: Fix a possible memory access violation when specifying out-of-bounds debug parameters. Problem detected by Cade Cairns of SecurityFocus. Technical Details ================= Certain variables were treated as signed values, but should have been unsigned. Bounds checking was not done when incrementing an index. Combined with supplied command-line arguments, a local user could exploit the setuid-root sendmail binary and the lack of bounds checking to perform a root compromise. Solutions and Workarounds ========================= If your system is running a sendmail version between 8.10.0 to 8.11.5, your system is vulnerable. Sendmail 8.11.6 is safe. Check /usr/libexec/sendmail/sendmail. After the upgrade of the binary file, be sure to restart any instances of a sendmail daemon running on your system. * All NetBSD releases using sendmail from pkgsrc between 8.10.0 and 8.11.5: If you are using sendmail from pkgsrc, upgrade to the following, or later: sendmail-8.11.6 * NetBSD-current: Systems running NetBSD-current dated from before 2001-08-21 should be upgraded to NetBSD-current dated 2001-08-22 or later. The following directory needs to be updated from the netbsd-current CVS branch (aka HEAD): gnu/dist/sendmail gnu/usr.sbin/sendmail To update from CVS, re-build, and re-install sendmail: # cd /usr/src/gnu # cvs update -d -P dist/sendmail usr.sbin/sendmail # cd usr.sbin/sendmail # make cleandir all install Alternatively, apply the following patch (with potential offset differences) and rebuild & re-install sendmail: ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch To patch, re-build and re-install sendmail # cd /usr/src # patch < /path/to/SA2001-017-sendmail.patch # cd gnu/usr.sbin/sendmail # make cleandir all install * NetBSD 1.5, 1.5.1 Systems running NetBSD releases on netbsd 1.5 branch (1.5 and 1.5.1) should be upgraded to NetBSD 1.5 branch dated 2001-08-23 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: gnu/dist/sendmail gnu/usr.sbin/sendmail To update from CVS, re-build, and re-install sendmail: # cd /usr/src/gnu # cvs update -d -P -r netbsd-1-5 dist/sendmail usr.sbin/sendmail # cd usr.sbin/sendmail # make cleandir all install Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch To patch, re-build and re-install sendmail # cd /usr/src # patch < /path/to/SA2001-017-sendmail.patch # cd gnu/usr.sbin/sendmail # make cleandir all install Thanks To ========= Jun-ichiro itojun Hagino for patches. Cade Cairns of SecurityFocus for discovering the issue. Revision History ================ 2001-09-06 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-017.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2001-017.txt,v 1.8 2001/09/06 14:46:04 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO5eQbD5Ru2/4N2IFAQHh7wP6AoAVVkseqJCW0ig3n1RGOOGRHWyJ4Je/ qgRO6x0vWEJpIp32fIILQtTLAl2dimrJSi6ApBdl0/7d4EBo4l+rnELbI0sKJaj2 vcxgrhsL6rtUfhW8/qH9Gwr106sy78OMTuHrElEBrwuoy+T1XqTcXJGOwR1Rp1py BWbKwI4jGws= =1y/j -----END PGP SIGNATURE-----