[Full-Disclosure] [RHSA-2003:073-06] Updated sendmail packages fix critical security issues

From: bugzilla@redhat.com
Date: 03/03/03

  • Next message: SGI Security Coordinator: "[Full-Disclosure] Mail Header Buffer Overflow In Sendmail"
    From: bugzilla@redhat.com
    To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com
    Date: Mon, 3 Mar 2003 12:05 -0500
    

    ---------------------------------------------------------------------
                       Red Hat, Inc. Red Hat Security Advisory

    Synopsis: Updated sendmail packages fix critical security issues
    Advisory ID: RHSA-2003:073-06
    Issue date: 2003-02-07
    Updated on: 2003-03-03
    Product: Red Hat Linux
    Keywords: sendmail smrsh security bug
    Cross references:
    Obsoletes: RHSA-2002:106
    CVE Names: CAN-2002-1337
    ---------------------------------------------------------------------

    1. Topic:

    Updated Sendmail packages are available to fix a vulnerability that
    may allow remote attackers to gain root privileges by sending a
    carefully crafted message.

    These packages also fix a security bug if sendmail is configured to use smrsh.

    2. Relevant releases/architectures:

    Red Hat Linux 6.2 - i386
    Red Hat Linux 7.0 - i386
    Red Hat Linux 7.1 - i386
    Red Hat Linux 7.2 - i386, ia64
    Red Hat Linux 7.3 - i386
    Red Hat Linux 8.0 - i386

    3. Problem description:

    Sendmail is a widely used Mail Transport Agent (MTA) which is included
    in all Red Hat Linux distributions.

    During a code audit of Sendmail by ISS, a critical vulnerability was
    uncovered that affects unpatched versions of Sendmail prior to version
    8.12.8. A remote attacker can send a carefully crafted email message
    which, when processed by sendmail, causes arbitrary code to be
    executed as root.

    We are advised that a proof-of-concept exploit is known to exist, but
    is not believed to be in the wild.

    Since this is a message-based vulnerability, MTAs other than Sendmail
    may pass on the carefully crafted message. This means that unpatched
    versions of Sendmail inside a network could still be at risk even if
    they do not accept external connections directly.

    In addition, the restricted shell (SMRSH) in Sendmail allows attackers to
    bypass the intended restrictions of smrsh by inserting additional commands
    after "||" sequences or "/" characters, which are not properly filtered or
    verified. A sucessful attack would allow an attacker who has a local
    account on a system which has explicitly enabled smrsh to execute arbitrary
    binaries as themselves by utilizing their .forward file.

    All users are advised to update to these erratum packages. For Red Hat
    Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable
    to these issues. For all other distributions we have included a backported
    patch which corrects these vulnerabilities.

    Red Hat would like to thank Eric Allman for his assistance with this
    vulnerability.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which are
    not installed but included in the list will not be updated. Note that you
    can also use wildcards (*.rpm) if your current directory *only* contains the
    desired RPMs.

    Please note that this update is also available via Red Hat Network. Many
    people find this an easier way to apply updates. To use Red Hat Network,
    launch the Red Hat Update Agent with the following command:

    up2date

    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system.

    5. RPMs required:

    Red Hat Linux 6.2:

    SRPMS:
    ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm

    i386:
    ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm

    Red Hat Linux 7.0:

    SRPMS:
    ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm

    i386:
    ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm

    Red Hat Linux 7.1:

    SRPMS:
    ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm

    i386:
    ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm
    ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm
    ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm
    ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm

    Red Hat Linux 7.2:

    SRPMS:
    ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm

    i386:
    ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm
    ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm
    ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm
    ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm

    ia64:
    ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm
    ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm
    ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm
    ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm

    Red Hat Linux 7.3:

    SRPMS:
    ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm

    i386:
    ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm
    ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm
    ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm
    ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm

    Red Hat Linux 8.0:

    SRPMS:
    ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm

    i386:
    ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm
    ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm
    ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm
    ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm

    6. Verification:

    MD5 sum Package Name
    --------------------------------------------------------------------------
    35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm
    71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm
    3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm
    ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm
    e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm
    f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm
    e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm
    c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm
    ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm
    c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm
    c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm
    6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm
    f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm
    2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm
    854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm
    dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm
    92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm
    d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm
    722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm
    e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm
    70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm
    8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm
    16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm
    2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm
    ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm
    f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm
    d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm
    5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm
    29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm
    8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm
    55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm
    87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm
    d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm

    These packages are GPG signed by Red Hat, Inc. for security. Our key
    is available at http://www.redhat.com/about/contact/pgpkey.html

    You can verify each package with the following command:
        
        rpm --checksig -v <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the md5sum with the following command:
        
        md5sum <filename>

    7. References:

    http://www.cert.org/advisories/CA-2003-07.html
    http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337

    8. Contact:

    The Red Hat security contact is <security@redhat.com>. More contact
    details at http://www.redhat.com/solutions/security/news/contact.html

    Copyright 2003 Red Hat, Inc.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: SGI Security Coordinator: "[Full-Disclosure] Mail Header Buffer Overflow In Sendmail"

    Relevant Pages