Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(FreeBSD Issues Fix) Sendmail Race Condition in Signal Handler May Let Remote Users Trigger a Buffer Overflow to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015803 |
|
SecurityTracker URL: http://securitytracker.com/id/1015803
|
|
CVE Reference:
CVE-2006-0058
(Links to External Site)
|
Date: Mar 22 2006
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 8.13.6
|
Description:
A vulnerability was reported in Sendmail. A remote user may be able to execute arbitrary code on the target system.
Under certain specific timing conditions, a remote user can send specially crafted e-mail data to the target system to exploit a race condition in a signal handler and trigger a buffer overflow. This may allow the remote user to execute arbitrary code on the target system with the privileges of the sendmail process.
ISS discovered this vulnerability.
The original advisory is available at:
http://xforce.iss.net/xforce/xfdb/24584
|
Impact:
A remote user can execute arbitrary code on the target system with the privileges of the sendmail process (typically root privileges).
|
Solution:
FreeBSD has issued a fix and has provided the following solution information [quoted]:
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail410.patch.asc
[FreeBSD 4.11 and FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail411.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail411.patch.asc
[FreeBSD 5.4, and FreeBSD 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libsm
# make obj && make depend && make
# cd /usr/src/lib/libsmutil
# make obj && make depend && make
# cd /usr/src/usr.sbin/sendmail
# make obj && make depend && make && make install
The FreeBSD advisory is available at:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.asc
|
Vendor URL: www.sendmail.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (FreeBSD)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 22 Mar 2006 16:11:31 GMT
Subject: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:13.sendmail Security Advisory
The FreeBSD Project
Topic: Race condition in sendmail
Category: contrib
Module: contrib_sendmail
Announced: 2006-03-22
Affects: All FreeBSD releases.
Corrected: 2006-03-22 16:01:08 UTC (RELENG_6, 6.1-STABLE)
2006-03-22 16:01:38 UTC (RELENG_6_0, 6.0-RELEASE-p6)
2006-03-22 16:01:56 UTC (RELENG_5, 5.5-STABLE)
2006-03-22 16:02:17 UTC (RELENG_5_4, 5.4-RELEASE-p13)
2006-03-22 16:02:35 UTC (RELENG_5_3, 5.3-RELEASE-p28)
2006-03-22 16:02:49 UTC (RELENG_4, 4.11-STABLE)
2006-03-22 16:03:05 UTC (RELENG_4_11, 4.11-RELEASE-p16)
2006-03-22 16:03:25 UTC (RELENG_4_10, 4.10-RELEASE-p22)
CVE Name: CVE-2006-0058
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
NOTE: The issue discussed in this advisory was reported to the FreeBSD
Security Team, and the patch which corrects it was supplied, by the
Sendmail Consortium via CERT. Due to the limited information available
concerning the nature of the vulnerability, the FreeBSD Security Team
has not been able to evaluate the effectiveness of the fixes, nor the
possibility of other workarounds.
I. Background
FreeBSD includes sendmail(8), a general purpose internetwork mail
routing facility, as the default Mail Transfer Agent (MTA).
II. Problem Description
A race condition has been reported to exist in the handling by sendmail
of asynchronous signals.
III. Impact
A remote attacker may be able to execute arbitrary code with the
privileges of the user running sendmail, typically root.
IV. Workaround
There is no known workaround other than disabling sendmail.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail410.patch.asc
[FreeBSD 4.11 and FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail411.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail411.patch.asc
[FreeBSD 5.4, and FreeBSD 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libsm
# make obj && make depend && make
# cd /usr/src/lib/libsmutil
# make obj && make depend && make
# cd /usr/src/usr.sbin/sendmail
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/contrib/sendmail/libsm/fflush.c 1.1.1.1.2.1
src/contrib/sendmail/libsm/local.h 1.1.1.1.2.6
src/contrib/sendmail/libsm/refill.c 1.1.1.1.2.4
src/contrib/sendmail/src/collect.c 1.1.1.4.2.17
src/contrib/sendmail/src/conf.c 1.5.2.20
src/contrib/sendmail/src/deliver.c 1.1.1.3.2.20
src/contrib/sendmail/src/headers.c 1.4.2.16
src/contrib/sendmail/src/mime.c 1.1.1.3.2.10
src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.20
src/contrib/sendmail/src/savemail.c 1.4.2.13
src/contrib/sendmail/src/sendmail.h 1.1.1.4.2.22
src/contrib/sendmail/src/sfsasl.c 1.1.1.1.2.16
src/contrib/sendmail/src/sfsasl.h 1.1.1.1.2.3
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.2.6.20
src/contrib/sendmail/src/usersmtp.c 1.1.1.3.2.17
src/contrib/sendmail/src/util.c 1.1.1.3.2.15
RELENG_4_11
src/contrib/sendmail/libsm/fflush.c 1.1.1.1.2.1.12.1
src/contrib/sendmail/libsm/local.h 1.1.1.1.2.5.2.1
src/contrib/sendmail/libsm/refill.c 1.1.1.1.2.3.2.1
src/contrib/sendmail/src/collect.c 1.1.1.4.2.14.2.1
src/contrib/sendmail/src/conf.c 1.5.2.17.2.1
src/contrib/sendmail/src/deliver.c 1.1.1.3.2.17.2.1
src/contrib/sendmail/src/headers.c 1.4.2.14.2.1
src/contrib/sendmail/src/mime.c 1.1.1.3.2.8.2.1
src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.17.2.1
src/contrib/sendmail/src/savemail.c 1.4.2.11.2.1
src/contrib/sendmail/src/sendmail.h 1.1.1.4.2.19.2.1
src/contrib/sendmail/src/sfsasl.c 1.1.1.1.2.14.2.1
src/contrib/sendmail/src/sfsasl.h 1.1.1.1.2.2.12.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.2.6.17.2.1
src/contrib/sendmail/src/usersmtp.c 1.1.1.3.2.14.2.1
src/contrib/sendmail/src/util.c 1.1.1.3.2.13.2.1
src/UPDATING 1.73.2.91.2.17
src/sys/conf/newvers.sh 1.44.2.39.2.20
RELENG_4_10
src/contrib/sendmail/libsm/fflush.c 1.1.1.1.2.1.10.1
src/contrib/sendmail/libsm/local.h 1.1.1.1.2.4.2.1
src/contrib/sendmail/libsm/refill.c 1.1.1.1.2.2.6.1
src/contrib/sendmail/src/collect.c 1.1.1.4.2.13.2.1
src/contrib/sendmail/src/conf.c 1.5.2.16.2.1
src/contrib/sendmail/src/deliver.c 1.1.1.3.2.16.2.1
src/contrib/sendmail/src/headers.c 1.4.2.13.2.1
src/contrib/sendmail/src/mime.c 1.1.1.3.2.7.2.1
src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.16.2.1
src/contrib/sendmail/src/savemail.c 1.4.2.10.6.1
src/contrib/sendmail/src/sendmail.h 1.1.1.4.2.18.2.1
src/contrib/sendmail/src/sfsasl.c 1.1.1.1.2.13.2.1
src/contrib/sendmail/src/sfsasl.h 1.1.1.1.2.2.10.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.2.6.16.2.1
src/contrib/sendmail/src/usersmtp.c 1.1.1.3.2.13.2.1
src/contrib/sendmail/src/util.c 1.1.1.3.2.12.2.1
src/UPDATING 1.73.2.90.2.23
src/sys/conf/newvers.sh 1.33.2.34.2.24
RELENG_5
src/contrib/sendmail/libsm/fflush.c 1.1.1.3.8.1
src/contrib/sendmail/libsm/local.h 1.1.1.7.2.1
src/contrib/sendmail/libsm/refill.c 1.1.1.5.2.1
src/contrib/sendmail/src/collect.c 1.1.1.19.2.3
src/contrib/sendmail/src/conf.c 1.26.2.3
src/contrib/sendmail/src/deliver.c 1.1.1.21.2.3
src/contrib/sendmail/src/headers.c 1.20.2.2
src/contrib/sendmail/src/mime.c 1.1.1.12.2.2
src/contrib/sendmail/src/parseaddr.c 1.1.1.20.2.3
src/contrib/sendmail/src/savemail.c 1.16.2.2
src/contrib/sendmail/src/sendmail.h 1.1.1.23.2.3
src/contrib/sendmail/src/sfsasl.c 1.1.1.14.2.2
src/contrib/sendmail/src/sfsasl.h 1.1.1.4.8.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.20.2.3
src/contrib/sendmail/src/usersmtp.c 1.1.1.18.2.3
src/contrib/sendmail/src/util.c 1.1.1.17.2.2
RELENG_5_4
src/contrib/sendmail/libsm/fflush.c 1.1.1.3.12.1
src/contrib/sendmail/libsm/local.h 1.1.1.7.6.1
src/contrib/sendmail/libsm/refill.c 1.1.1.5.6.1
src/contrib/sendmail/src/collect.c 1.1.1.19.2.1.2.1
src/contrib/sendmail/src/conf.c 1.26.2.1.2.1
src/contrib/sendmail/src/deliver.c 1.1.1.21.2.1.2.1
src/contrib/sendmail/src/headers.c 1.20.2.1.2.1
src/contrib/sendmail/src/mime.c 1.1.1.12.2.1.2.1
src/contrib/sendmail/src/parseaddr.c 1.1.1.20.2.1.2.1
src/contrib/sendmail/src/savemail.c 1.16.2.1.2.1
src/contrib/sendmail/src/sendmail.h 1.1.1.23.2.1.2.1
src/contrib/sendmail/src/sfsasl.c 1.1.1.14.2.1.2.1
src/contrib/sendmail/src/sfsasl.h 1.1.1.4.12.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.20.2.1.2.1
src/contrib/sendmail/src/usersmtp.c 1.1.1.18.2.1.2.1
src/contrib/sendmail/src/util.c 1.1.1.17.2.1.2.1
src/UPDATING 1.342.2.24.2.22
src/sys/conf/newvers.sh 1.62.2.18.2.18
RELENG_5_3
src/contrib/sendmail/libsm/fflush.c 1.1.1.3.10.1
src/contrib/sendmail/libsm/local.h 1.1.1.7.4.1
src/contrib/sendmail/libsm/refill.c 1.1.1.5.4.1
src/contrib/sendmail/src/collect.c 1.1.1.19.4.1
src/contrib/sendmail/src/conf.c 1.26.4.1
src/contrib/sendmail/src/deliver.c 1.1.1.21.4.1
src/contrib/sendmail/src/headers.c 1.20.4.1
src/contrib/sendmail/src/mime.c 1.1.1.12.4.1
src/contrib/sendmail/src/parseaddr.c 1.1.1.20.4.1
src/contrib/sendmail/src/savemail.c 1.16.4.1
src/contrib/sendmail/src/sendmail.h 1.1.1.23.4.1
src/contrib/sendmail/src/sfsasl.c 1.1.1.14.4.1
src/contrib/sendmail/src/sfsasl.h 1.1.1.4.10.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.20.4.1
src/contrib/sendmail/src/usersmtp.c 1.1.1.18.4.1
src/contrib/sendmail/src/util.c 1.1.1.17.4.1
src/UPDATING 1.342.2.13.2.31
src/sys/conf/newvers.sh 1.62.2.15.2.33
RELENG_6
src/contrib/sendmail/libsm/fflush.c 1.1.1.3.14.1
src/contrib/sendmail/libsm/local.h 1.1.1.7.8.1
src/contrib/sendmail/libsm/refill.c 1.1.1.5.8.1
src/contrib/sendmail/src/collect.c 1.1.1.21.2.1
src/contrib/sendmail/src/conf.c 1.28.2.1
src/contrib/sendmail/src/deliver.c 1.1.1.23.2.1
src/contrib/sendmail/src/headers.c 1.21.2.1
src/contrib/sendmail/src/mime.c 1.1.1.13.2.1
src/contrib/sendmail/src/parseaddr.c 1.1.1.22.2.1
src/contrib/sendmail/src/savemail.c 1.17.2.1
src/contrib/sendmail/src/sendmail.h 1.1.1.26.2.1
src/contrib/sendmail/src/sfsasl.c 1.1.1.15.2.1
src/contrib/sendmail/src/sfsasl.h 1.1.1.4.14.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.22.2.1
src/contrib/sendmail/src/usersmtp.c 1.1.1.21.2.1
src/contrib/sendmail/src/util.c 1.1.1.18.2.1
RELENG_6_0
src/contrib/sendmail/libsm/fflush.c 1.1.1.3.16.1
src/contrib/sendmail/libsm/local.h 1.1.1.7.10.1
src/contrib/sendmail/libsm/refill.c 1.1.1.5.10.1
src/contrib/sendmail/src/collect.c 1.1.1.21.4.1
src/contrib/sendmail/src/conf.c 1.28.4.1
src/contrib/sendmail/src/deliver.c 1.1.1.23.4.1
src/contrib/sendmail/src/headers.c 1.21.4.1
src/contrib/sendmail/src/mime.c 1.1.1.13.4.1
src/contrib/sendmail/src/parseaddr.c 1.1.1.22.4.1
src/contrib/sendmail/src/savemail.c 1.17.4.1
src/contrib/sendmail/src/sendmail.h 1.1.1.26.4.1
src/contrib/sendmail/src/sfsasl.c 1.1.1.15.4.1
src/contrib/sendmail/src/sfsasl.h 1.1.1.4.16.1
src/contrib/sendmail/src/srvrsmtp.c 1.1.1.22.4.1
src/contrib/sendmail/src/usersmtp.c 1.1.1.21.4.1
src/contrib/sendmail/src/util.c 1.1.1.18.4.1
src/UPDATING 1.416.2.3.2.11
src/sys/conf/newvers.sh 1.69.2.8.2.7
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEIXZWFdaIBMps37IRAldYAJ9nd+wQMJlQObUuio5tBEFwD0ULwwCbB2eI
u3JkyVwHx4WOgmZkg9QKang=
=d3RW
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
