Bug#358440: sendmail: race, exec arbitrary, fixed 8.13.6

Paul Szabo Wed, 22 Mar 2006 11:53:07 -0800

Package: sendmail
Version: 8.13.4-3
Severity: critical
Justification: root security hole



Please see the following advisories/reports:

  http://www.auscert.org.au/6148
  http://xforce.iss.net/xforce/alerts/id/216
  http://www.sendmail.org/8.13.6.html

Cheers,

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- Package-specific info:
Ouput of /usr/share/bug/sendmail/script:

ls -alR /etc/mail:
/etc/mail:
total 272
drwxr-sr-x   7 smmta smmsp  4096 Dec  2 09:22 .
drwxr-xr-x  91 root  root   8192 Mar 20 22:47 ..
-rwxr-xr--   1 root  smmsp  9116 Dec  2 09:21 Makefile
-rw-------   1 root  root   4211 Dec  2 09:22 access
-rw-r-----   1 smmta smmsp 12288 Dec  2 09:22 access.db
-rw-r--r--   1 root  root    281 Jun  4  2005 address.resolve
lrwxrwxrwx   1 root  smmsp    10 Dec  2 09:22 aliases -> ../aliases
-rw-r-----   1 smmta smmsp 12288 Dec  2 09:22 aliases.db
-rw-r--r--   1 root  root   3058 Dec  2 09:21 databases
-rw-r--r--   1 root  root   5588 Jun  4  2005 helpfile
-rw-r--r--   1 root  smmsp    35 Dec  2 09:22 local-host-names
drwxr-sr-x   2 smmta smmsp  4096 Dec  2 09:21 m4
drwxr-xr-x   2 root  root   4096 Dec  2 09:21 peers
drwxr-xr-x   2 root  smmsp  4096 Jun  4  2005 sasl
-rw-r--r--   1 root  smmsp  8198 Dec  2 09:22 sendmail.cf
-rw-r--r--   1 root  smmsp   269 Dec  2 09:22 sendmail.cf.errors
-rw-r--r--   1 root  root  10032 May  6  2002 sendmail.conf
-rw-r--r--   1 root  smmsp    46 Dec  2 09:22 sendmail.mc
-rw-r--r--   1 root  root    149 Jun  4  2005 service.switch
-rw-r--r--   1 root  root    180 Jun  4  2005 service.switch-nodns
drwxr-sr-x   2 smmta smmsp  4096 Dec  2 09:21 smrsh
-rw-r--r--   1 root  smmsp  7794 Dec  2 09:22 submit.cf
-rw-r--r--   1 root  smmsp    59 Dec  2 09:22 submit.mc
drwxr-xr-x   2 smmta smmsp  4096 Dec  2 09:21 tls
-rw-r--r--   1 root  smmsp     0 Dec  2 09:22 trusted-users

/etc/mail/m4:
total 8
drwxr-sr-x  2 smmta smmsp 4096 Dec  2 09:21 .
drwxr-sr-x  7 smmta smmsp 4096 Dec  2 09:22 ..
-rw-r-----  1 root  smmsp    0 Dec  2 09:21 dialup.m4
-rw-r-----  1 root  smmsp    0 Dec  2 09:21 provider.m4

/etc/mail/peers:
total 12
drwxr-xr-x  2 root  root  4096 Dec  2 09:21 .
drwxr-sr-x  7 smmta smmsp 4096 Dec  2 09:22 ..
-rw-r--r--  1 root  root   328 Jun  4  2005 provider

/etc/mail/sasl:
total 8
drwxr-xr-x  2 root  smmsp 4096 Jun  4  2005 .
drwxr-sr-x  7 smmta smmsp 4096 Dec  2 09:22 ..

/etc/mail/smrsh:
total 8
drwxr-sr-x  2 smmta smmsp 4096 Dec  2 09:21 .
drwxr-sr-x  7 smmta smmsp 4096 Dec  2 09:22 ..
lrwxrwxrwx  1 root  smmsp   26 Dec  2 09:21 mail.local -> 
/usr/lib/sm.bin/mail.local
lrwxrwxrwx  1 root  smmsp   17 Dec  2 09:21 procmail -> /usr/bin/procmail
lrwxrwxrwx  1 root  smmsp   17 Dec  2 09:21 vacation -> /usr/bin/vacation

/etc/mail/tls:
total 44
drwxr-xr-x  2 smmta smmsp 4096 Dec  2 09:21 .
drwxr-sr-x  7 smmta smmsp 4096 Dec  2 09:22 ..
-rw-r--r--  1 root  root     7 Dec  2 09:21 no_prompt
-rw-------  1 root  root  1191 Dec  2 09:21 sendmail-client.cfg
-rw-r--r--  1 root  smmsp 1245 Dec  2 09:21 sendmail-client.crt
-rw-------  1 root  root  1025 Dec  2 09:21 sendmail-client.csr
-rw-r-----  1 root  smmsp 1679 Dec  2 09:21 sendmail-common.key
-rw-------  1 root  root     0 Dec  2 09:21 sendmail-common.prm
-rw-------  1 root  root  1191 Dec  2 09:21 sendmail-server.cfg
-rw-r--r--  1 root  smmsp 1245 Dec  2 09:21 sendmail-server.crt
-rw-------  1 root  root  1025 Dec  2 09:21 sendmail-server.csr
-rwxr--r--  1 root  root  3152 Dec  2 09:21 starttls.m4

sendmail.conf:
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="Yes";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10";
QUEUE_PARMS="";
MSP_MODE="${QUEUE_MODE}";
MSP_INTERVAL="${QUEUE_INTERVAL}";
MSP_PARMS="${QUEUE_PARMS}";
MSP_MAILSTATS="No";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
AGE_DATA="";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";


sendmail.mc:
[trigger for usr/share/sendmail/sm_helper.sh]

submit.mc...
FEATURE(`msp [trigger for usr/share/sendmail/sm_helper.sh]


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages sendmail depends on:
ii  rmail                         8.13.4-3   MTA->UUCP remote mail handler
ii  sendmail-base                 8.13.4-3   powerful, efficient, and scalable 
ii  sendmail-bin                  8.13.4-3   powerful, efficient, and scalable 
ii  sendmail-cf                   8.13.4-3   powerful, efficient, and scalable 
ii  sensible-mda                  8.13.4-3   Mail Delivery Agent wrapper

Versions of packages sensible-mda depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  procmail                    3.22-11      Versatile e-mail processor
ii  sendmail-bin [mail-transpor 8.13.4-3     powerful, efficient, and scalable 

Versions of packages rmail depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libldap2                    2.1.30-8     OpenLDAP libraries
ii  sendmail-bin [mail-transpor 8.13.4-3     powerful, efficient, and scalable 

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#358440: sendmail: race, exec arbitrary, fixed 8.13.6

Reply via email to