[LWN Logo]

Date:         Wed, 24 Nov 1999 02:40:48 -0800
From: Jeff Bilicki <jeffb@COBALTNET.COM>
Subject:      [ COBALT ] Security Advisory - Sendmail
To: BUGTRAQ@SECURITYFOCUS.COM

Cobalt Networks -- Security Advisory -- 11.24.1999

Problem:
Sendmail up to the recent 8.9.x versions - allows any user with a shell
access to pass the '-bi' parameter to /usr/sbin/sendmail. This will
result in aliases database rebuild. The alias database is opened in the
following way:

5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6

There's approx 0.1 sec delay due to /etc/aliases.db processing (on many
common systems). Meantime, luser might deliver any signals to the
Sendmail process, like SIGKILL. After that, /etc/aliases.db will be left
in an unusable state (no EOF marker), causing DoS:

220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself
451 Cannot open hash database /etc/aliases: Invalid argument rcpt to:
lcamtuf
503 Need MAIL before RCPT

This vulnerability and problem text were produced by Michal Zalewski
<lcamtuf@IDS.PL>

Relevant products and architectures (all languages)
Product         Architecture    	Vulnerable
Qube1		MIPS                    yes
Qube2           MIPS                    yes
RaQ1            MIPS                    yes
RaQ2            MIPS                    yes
RaQ3            x86                     yes

Conflicts:
-RaQ 1-
After installing the RPM you will need to move /etc/sendmail.cf.rpmsave
to /etc/sendmail.cf and restart sendmail
-Qube1-
See *Note

RPMS:
-RaQ 3-
ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm
-RaQ 2 Qube 2-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm
-RaQ 1 Qube 1-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm

SRPMS:
-RaQ 3 RaQ 2 Qube 2-
ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sendmail-8.9.3-C7.src.rpm
-RaQ 1 Qube 1-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm

MD5 sums			Package Name
-------------------------------------------------------------
sendmail-8.9.3-C7.i386.rpm 9b28a5650f77a3d7bbeec2db064c2e82
sendmail-8.9.3-C7.mips.rpm 9a27c638b77d833c41d42bfad7b21b7b
sendmail-8.9.3-C7.src.rpm 3c6ce162b6de3cd072ed3f99e2200d3e
sendmail-8.8.8-1C4.mips.rpm 5590d0a0955fef086e219aa67245aa86
sendmail-8.8.8-1C4.src.rpm 10bb1f7ac3e6b1b817f4b6e4d17504ca

You can verify each rpm using the following command:
rpm --checksig  [package]

To install, use the following command, while logged in as root:
rpm -U [package]

The package file format (pkg) for this fix is currently in testing, and
will be available in the near future.

Jeff Bilicki
Cobalt Networks


*Note for Qube 1
After installing the RPM you will need to move /etc/sendmail.cf.rpmsave
to /etc/sendmail.cf

If you are installing this sendmail on a Qube 1 you will need to do a
couple of thing before installing the rpm.  After Qube1 we moved all the
rc scripts into initscripts-cobalt, due to the way the rpm was built you
might need to do the following.  (This will be automated when the
package is released)
1. Type as root:
cp /etc/rc.d/init.d/sendmail /root/sendmail.tmp
2. Install the rpm using: rpm -U sendmail-8.8.8-1C4.mips.rpm
3. Type as root:
mv /root/sendmail.tmp /etc/rc.d/init.d/sendmail
mv /etc/rc.d/rc0.d/K30sendmail.rpmsave /etc/rc.d/rc0.d/K30sendmail
mv /etc/rc.d/rc1.d/K30sendmail.rpmsave /etc/rc.d/rc1.d/K30sendmail
mv /etc/rc.d/rc2.d/S60sendmail.rpmsave /etc/rc.d/rc2.d/S60sendmail
mv /etc/rc.d/rc3.d/S80sendmail.rpmsave /etc/rc.d/rc3.d/S80sendmail
mv /etc/rc.d/rc5.d/S80sendmail.rpmsave /etc/rc.d/rc5.d/S80sendmail
mv /etc/rc.d/rc6.d/K30sendmail.rpmsave /etc/rc.d/rc6.d/K30sendmail