dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


SuSE Linux Advisory: sendmail, sendmail-tls

Sep 20, 2003, 17:33 (0 Talkback[s])

SuSE Security Announcement

Package: sendmail, sendmail-tls
Announcement-ID: SuSE-SA:2003:040
Date: Saturday, Sep 20th 2003 18:00 MEST
Affected products: 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server,
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local/remote privilege escalation
Severity (1-10): 7
SuSE default package: yes (until SuSE Linux 8.0 and SLES7)
Cross References: CAN-2003-0694
CERT http://www.kb.cert.org/vuls/id/784980
http://www.securityfocus.com/archive/1/337839
http://www.sendmail.org/8.12.10.html

Content of this advisory:

  1. security vulnerability resolved: sendmail, sendmail-tls problem description, discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • mysql
  3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

sendmail is the most widely used mail transport agent (MTA) in the internet. A remotely exploitable buffer overflow has been found in all versions of sendmail that come with SuSE products. These versions include sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem that is installed by default on all SuSE products up to and including SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7.

The vulnerability discovered is known as the prescan()-bug and is not related to the vulnerability found and fixed in April 2003. The error in the code can cause heap or stack memory to be overwritten, triggered by (but not limited to) functions that parse header addresses.

There is no known workaround for this vulnerability other than using a different MTA. The vulnerability is triggered by an email message sent through the sendmail MTA subsystem. In that respect, it is different from commonly known bugs that occur in the context of an open TCP connection. By consequence, the vulnerability also exists if email messages get forwarded over a relay that itself does not run a vulnerable MTA. This specific detail and the wide distribution of sendmail in the internet causes this vulnerability to be considered a flaw of major severity. We recommend to install the update packages that are provided for download at the locations listed below.

We thank Michal Zalewski who discovered this vulnerability and the friendly people from Sendmail Inc (Claus Assmann) who have communicated problem to SuSE Security.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

SPECIAL INSTALL INSTRUCTIONS:

After performing the update, it is necessary to restart all running instances of sendmail using the command "rcsendmail restart" as root.

Intel i386 Platform:

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-77.i586.rpm
98b411a03df3a657dcef79be8f5d1ab2
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-devel-8.12.7-77.i586.rpm
59c84f025e29401fb798d3253a67bd70
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-77.i586.patch.rpm
99c717aee89be0a9d791a48cec41a57d
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-devel-8.12.7-77.i586.patch.rpm
9feac7f2b475531d07279a3606dd3b37
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/sendmail-8.12.7-77.src.rpm
ffb2d8b0fd28a9a5244f2696879f3762

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-159.i586.rpm
3b96f198fa7e9726e4e575444baa10d6
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-159.i586.rpm
0b56d4ac6453c5962bf9e9d363b83849
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-159.i586.patch.rpm
92f7e4376ea2ed5f4f7652e3e47a7638
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-159.i586.patch.rpm
843a111a942d24a6380f91f7f21e9316
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-159.src.rpm
d4a2d5463ef5bfcc5c36bd3b9da36271

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-78.i386.rpm
85d6d62eb31223c8bc607b65551ea024
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-78.i386.rpm
24d814266bf8c305dbd275009655f7e4
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-78.i386.patch.rpm
7f384fedbc35b23d92da843e2fc38046
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-78.i386.patch.rpm
95de8a86f1dad5f1b3e28bb9cb40c02c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-78.src.rpm
92c4a75367211fb0b23b1706a2b893f1

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-167.i386.rpm
51d281703157e04e39e48f5b21cb1469
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/sendmail-tls-8.11.6-169.i386.rpm
1131ad179e17de3c7d0a8d0a7a7e5348
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-8.11.6-167.src.rpm
5c547ec8f50f6fa756e160063076365c
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-tls-8.11.6-169.src.rpm
eb0a06b8a387297463cbccb639e5fb6f

SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/sendmail-8.11.3-112.i386.rpm
3bed3854baec797e2ff6d14f9582fcda
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/sendmail-tls-8.11.3-116.i386.rpm
2713adc9c6feecc146a796034b3f7b98
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-8.11.3-112.src.rpm
1b28f2aca4bb0b9231869267cbd4a06d
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-tls-8.11.3-116.src.rpm
352f504b486334537d952aa90b82ac08

Sparc Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/sendmail-8.11.6-67.sparc.rpm
24c874c51666ca5b9f5ce2a7431af63e
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/sendmail-tls-8.11.6-67.sparc.rpm
5d41fe793f6744e70f6bde005363884c
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-8.11.6-67.src.rpm
7f27980cf2fb11453a80964355aaddbc
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-tls-8.11.6-67.src.rpm
dda3511ac3f95af3623837e19b6a80f6

PPC Power PC Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/sendmail-8.11.6-126.ppc.rpm
0442e3a7504bb4bb57e896fcd83e80b9
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/sendmail-tls-8.11.6-125.ppc.rpm
cbf8c7e5e9f61c3017ad5d80b7c4c76b
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-8.11.6-126.src.rpm
47031fa3484a66081f623760fcf53dc1
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-tls-8.11.6-125.src.rpm
9ce8128f4847f6fb0d8b0662f3145388


2) Pending vulnerabilities in SuSE Distributions and Workarounds:

  • As already announced in SuSE-SA:2003:038 and SuSE-SA:2003:039, we are working on update packages for the mysql buffer overflow vulnerability. The packages will be made available as soon as possible.

3) standard appendix: authenticity verification, additional information
  • Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

suse-security-announce@suse.com

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or
‭ <suse-security-faq@suse.com> respectively.


SuSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

Roman Drahtmüller,
SuSE Security.