Jose-Marcio Martins da Cruz <jose-marcio.mart...@mines-paristech.fr>
writes:
> Hello,
>
> Bjørn Mork wrote:
>> tags 527862 + patch security
>> thanks
>>
>> The last few days I've had both clamav-milter and spamass-milter segfault on
>> two separate servers both running Debian lenny:
>>
>> Jul 13 04:59:53 canardo kernel: [9021793.803024] spamass-milter[22767]:
>> segfault at 130 ip 7f94da384900 sp 429190e0 error 4 in
>> libmilter.so.1.0.1[7f94da379000+f000]
>> Jul 13 05:00:33 canardo kernel: [9021863.827618] clamav-milter[22887]:
>> segfault at 130 ip 7f7aaa945900 sp 4234b0f0 error 4 in
>> libmilter.so.1.0.1[7f7aaa93a000+f000]
>>
>> Jul 13 05:55:57 huey kernel: [4728098.560126] spamass-milter[20935]:
>> segfault at 130 ip 7fa1b92d1900 sp 4178a0e0 error 4 in
>> libmilter.so.1.0.1[7fa1b92c6000+f000]
>>
>> This might be because they are handling mail for some of the same
>> domains, and that a single buggy mail server is bringing them both down.
>> But I believe it is still a somewhat serious security issue, as it is
>> obviously possible to bring down virus and spam filtering by a remote
>> connection.
>>
>> I'm now testing a modified version of the patch attached to this bug,
>> and this seems to fix the problem. Please consider adding this to Lenny
>> as a security fix. Thanks.
>
> I'm attaching the last version of worker.c I'm using. Ther's a little
> difference.
>
> But I have some comments :
>
> I'm the author of the pool of workers patch, but I'm not from
> sendmail. This last patch will be integrate in the next release of
> sendmail. While it's not out, I'll probably put it available for
> download at my web site.
>
> I'm running the original patch on my mail servers for around 5 years
> without problems. These servers are under Solaris, FreeBSD or Debian
> Etch or Lenny...
With "nfd = 0" inside the "for (;;)" loop? Strange. I could not get
that to handle anything at all.
> The bug which were talking about affects only a
> particular situation when very old stale connections are closed by
> libmilter : connections inactive for more than 2 hours. So, it may be
> hard to detect if your patch solves the problem or not.
Yes, I understand that.
But does that mean that the bug can be triggered by connecting to a
server running milters and leaving the connection open for more than 2
hours?
If so, it should be fairly easy both to test and, unfortunately, to use
this for a DoS attack...
> There may be some confusion about the errors. And maybe the reason
> your milters are crashing may not be this bug. There is a situation
> where it's possible to do a DoS and very most milters crash (but not
> all). This is related to the number of file descriptors in use. Do you
> know how many connections the milter is handling when it crashes ???
> If there are some hundreds the reason maybe this other problem, which
> is a bug of most milters, not libmilter.
I'm afraid I don't know how many connections were open when the milters
crashed, but the mail statistics does not show any unusual activity.
And these servers are very lightly loaded (less than 1 message per
minute on average).
Another hint pointing at libmilter, is the fact that both clamav-milter
and spamass-milter crashed at the same time
>
> static void *
> mi_pool_controller(arg)
> void *arg;
> {
> struct pollfd *pfd = NULL;
> int dim_pfd = 0;
> bool rebuild_set = true;
> int pcnt = 0; /* error count for poll() failures */
> time_t lastcheck;
> int nfd = 0;
I do note that nfd = 0 has moved here now. Which will also fix that
bug.
Bjørn
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
