On Tue, 10 Oct 1995, Casper Dik wrote:
> >Who knows what the root-shell-giving security hole is in Sendmail 8.6.12
> >that was incompletely patched in 8.7, and (supposedly) finally patched
> >in 8.7.1?
>
> It's just syslog() overruning the stack again. There's also another problem
> which causes the datas segment to be overrun, but that's not as easy
> to abuse (if at all).
There also seems to be some sort of problem with body types.
The following is quoted from the the Sendmail 8.7.1 RELEASE_NOTES file:
"Fix a problem that might cause a non-standard -B (body type)
parameter to be passed to the next server with undefined
results. This could have security implications."
Anyone have a clue as to what these "Security Implications" are?
The patch included follows... pretty easy to understand.
<begin patch to src/main.c>
***************
*** 789,795 ****
else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0)
SevenBitInput = FALSE;
else
! usrerr("Illegal body type %s", optarg);
/* Enforce use of local time (null string overrides this) */
if (TimeZoneSpec == NULL)
--- 789,798 ----
else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0)
SevenBitInput = FALSE;
else
! {
! usrerr("Illegal body type %s", CurEnv->e_bodytype);
! CurEnv->e_bodytype = NULL;
! }
/* Enforce use of local time (null string overrides this) */
if (TimeZoneSpec == NULL)
<end patch>
I haven't had time to play around with body types yet, although this bug
seems to be patched, we can never be sure with sendmail. :)
Received on Oct 10 1995
Intro
