Fw: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail [REVISED]

Joe Paleafei mantaray at linuxfreemail.com
Thu Aug 30 14:47:05 PDT 2001 

----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories at FreeBSD.ORG>
To: "FreeBSD Security Advisories" <security-advisories at FreeBSD.ORG>
Sent: Thursday, August 30, 2001 9:20 AM
Subject: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail [REVISED]


> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SA-01:57                                           Security
Advisory
>                                                                 FreeBSD,
Inc.
>
> Topic:          sendmail contains local root vulnerability [REVISED]
>
> Category:       core
> Module:         sendmail
> Announced:      2001-08-27
> Revised:        2001-08-30
> Credits:        Cade Cairnss <cairnsc at securityfocus.com>
> Affects:        FreeBSD 4-STABLE after August 27, 2000 and prior to
>                 the correction date, FreeBSD 4.1.1-RELEASE,
>                 4.2-RELEASE, 4.3-RELEASE
> Corrected:      2001-08-21 01:36:37 UTC (FreeBSD 4.3-STABLE)
>                 2001-08-22 05:34:11 UTC (RELENG_4_3)
> FreeBSD only:   NO
>
> 0.   Revision History
>
> v1.0  2001-08-27  Initial release
> v1.1  2001-08-30  Update package to remove setuid bit from saved file;
>                   add non-openssl package; correct typo in package
>                   instructions; note that $Id$ not updated in
>                   RELENG_4_3.
>
> I.   Background
>
> sendmail is a mail transfer agent.
>
> II.  Problem Description
>
> Sendmail contains an input validation error which may lead to the
> execution of arbitrary code with elevated privileges by local users.
> Due to the improper use of signed integers in code responsible for the
> processing of debugging arguments, a local user may be able to supply
> the signed integer equivalent of a negative value supplied to
> sendmail's "trace vector".  This may allow a local user to write data
> anywhere within a certain range of locations in process memory.
> Because the '-d' command-line switch is processed before the program
> drops its elevated privileges, the attacker may be able to cause
> arbitrary code to be executed with root privileges.
>
> III. Impact
>
> Local users may be able to execute arbitrary code with root privileges.
>
> IV.  Workaround
>
> Do not allow untrusted users to execute the sendmail binary.
>
> V.   Solution
>
> One of the following:
>
> 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the
> RELENG_4_3 security branch after the respective correction dates.
>
> 2) FreeBSD 4.x systems after August 27, 2000 and prior to the
> correction date:
>
> The following patch has been verified to apply to FreeBSD
> 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to
> the correction date.
>
> Download the patch and the detached PGP signature from the following
> locations, and verify the signature using your PGP utility.
>
> # fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch
> # fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc
>
> Execute the following commands as root:
>
> # cd /usr/src
> # patch -p < /path/to/patch
> # cd /usr/src/lib/libsmutil
> # make depend && make all
> # cd /usr/src/usr.sbin/sendmail
> # make depend && make all install
>
> 3) FreeBSD 4.3-RELEASE systems:
>
> ** NOTE: The initial version of the upgrade package did not remove
> ** setuid root privileges from the saved copy of the sendmail binary.
> ** To correct this, deinstall the old package using the pkg_delete(1)
> ** command and install the corrected package as described below.
>
> An experimental upgrade package is available for users who wish to
> provide testing and feedback on the binary upgrade process.  This
> package may be installed on FreeBSD 4.3-RELEASE systems only, and is
> intended for use on systems for which source patching is not practical
> or convenient.
>
> If you use the upgrade package, feedback (positive or negative) to
> security-officer at FreeBSD.org is requested so we can improve the
> process for future advisories.
>
> During the installation procedure, backup copies are made of the
> files which are replaced by the package.  These backup copies will
> be reinstalled if the package is removed, reverting the system to a
> pre-patched state.
>
> Two versions of the package are available, depending on whether or not
> OpenSSL is installed.  If the file /usr/lib/libcrypto.so exists on the
> local system, follow the directions in section 1a) below, otherwise
> follow the directions in section 1b).  After adding the package,
> proceed with the instructions in section 2).
>
> 1a) If crypto is installed:
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-send
mail-crypto-01.57.tgz
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-send
mail-crypto-01.57.tgz.asc
>
> Verify the detached PGP signature using your PGP utility.
>
> # pkg_add security-patch-sendmail-crypto-01.57.tgz
>
> 1b) If crypto is not installed:
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-send
mail-nocrypto-01.57.tgz
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-send
mail-nocrypto-01.57.tgz.asc
>
> Verify the detached PGP signature using your PGP utility.
>
> # pkg_add security-patch-sendmail-nocrypto-01.57.tgz
>
> 2) Restart sendmail after applying the patch by executing the following
> commands as root:
>
> # killall sendmail
> # /usr/sbin/sendmail -bd -q30m
>
> The flags to sendmail may need to be adjusted as required for the
> local system configuration.
>
> VI.   Correction details
>
> The following is the sendmail $Id$ revision number of the file that
> was corrected for the supported branches of FreeBSD.  The $Id$
> revision number of the installed source can be examined using the
> ident(1) command.  Note that the $Id$ tag was not updated on the
> RELENG_4_3 branch because a newer vendor release of sendmail was not
> imported, instead only this vulnerability was patched.
>
>   Revision   Path
>   8.20.22.4  src/contrib/sendmail/src/trace.c
>
> VII.  References
>
> <URL:http://www.securityfocus.com/bid/3163>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBO46RWlUuHi5z0oilAQH+VwP+MBpBopVejzWdHAjm0cEslleHZThEjja4
> qNd28CAQOy5KAdDcP61pqT2LcxlFUXyjRPjcVo6eqGaO63Lz3Ov2nnm3LPfcyR18
> PQaQkezGxTIfORuXxZiNA4EI51zjoquIRVWwMJaR1Azx+vf/u9XPIDVKA7rkL3df
> wvTf9D4V7ZU=
> =L1XV
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo at FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

More information about the LUAU mailing list