SuSE Security Announcement
| Package: | sendmail, sendmail-tls |
| Announcement-ID: | SuSE-SA:2003:040 |
| Date: | Saturday, Sep 20th 2003 18:00 MEST |
| Affected products: | 7.2, 7.3, 8.0, 8.1, 8.2 SuSE Linux Database Server, SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server |
| Vulnerability Type: | local/remote privilege escalation |
| Severity (1-10): | 7 |
| SuSE default package: | yes (until SuSE Linux 8.0 and SLES7) |
| Cross References: | CAN-2003-0694 CERT http://www.kb.cert.org/vuls/id/784980 |
Content of this advisory:
- security vulnerability resolved: sendmail, sendmail-tls problem
description, discussion, solution and upgrade information - pending vulnerabilities, solutions, workarounds:
- mysql
- standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
information
sendmail is the most widely used mail transport agent (MTA) in
the internet. A remotely exploitable buffer overflow has been found
in all versions of sendmail that come with SuSE products. These
versions include sendmail-8.11 and sendmail-8.12 releases. sendmail
is the MTA subsystem that is installed by default on all SuSE
products up to and including SuSE Linux 8.0 and the SuSE Linux
Enterprise Server 7.
The vulnerability discovered is known as the prescan()-bug and
is not related to the vulnerability found and fixed in April 2003.
The error in the code can cause heap or stack memory to be
overwritten, triggered by (but not limited to) functions that parse
header addresses.
There is no known workaround for this vulnerability other than
using a different MTA. The vulnerability is triggered by an email
message sent through the sendmail MTA subsystem. In that respect,
it is different from commonly known bugs that occur in the context
of an open TCP connection. By consequence, the vulnerability also
exists if email messages get forwarded over a relay that itself
does not run a vulnerable MTA. This specific detail and the wide
distribution of sendmail in the internet causes this vulnerability
to be considered a flaw of major severity. We recommend to install
the update packages that are provided for download at the locations
listed below.
We thank Michal Zalewski who discovered this vulnerability and
the friendly people from Sendmail Inc (Claus Assmann) who have
communicated problem to SuSE Security.
Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.
SPECIAL INSTALL INSTRUCTIONS:
After performing the update, it is necessary to restart all running
instances of sendmail using the command “rcsendmail restart” as
root.
Intel i386 Platform:
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-77.i586.rpm
98b411a03df3a657dcef79be8f5d1ab2
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-devel-8.12.7-77.i586.rpm
59c84f025e29401fb798d3253a67bd70
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-77.i586.patch.rpm
99c717aee89be0a9d791a48cec41a57d
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-devel-8.12.7-77.i586.patch.rpm
9feac7f2b475531d07279a3606dd3b37
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/sendmail-8.12.7-77.src.rpm
ffb2d8b0fd28a9a5244f2696879f3762
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-159.i586.rpm
3b96f198fa7e9726e4e575444baa10d6
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-159.i586.rpm
0b56d4ac6453c5962bf9e9d363b83849
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-159.i586.patch.rpm
92f7e4376ea2ed5f4f7652e3e47a7638
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-159.i586.patch.rpm
843a111a942d24a6380f91f7f21e9316
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-159.src.rpm
d4a2d5463ef5bfcc5c36bd3b9da36271
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-78.i386.rpm
85d6d62eb31223c8bc607b65551ea024
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-78.i386.rpm
24d814266bf8c305dbd275009655f7e4
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-78.i386.patch.rpm
7f384fedbc35b23d92da843e2fc38046
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-78.i386.patch.rpm
95de8a86f1dad5f1b3e28bb9cb40c02c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-78.src.rpm
92c4a75367211fb0b23b1706a2b893f1
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-167.i386.rpm
51d281703157e04e39e48f5b21cb1469
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/sendmail-tls-8.11.6-169.i386.rpm
1131ad179e17de3c7d0a8d0a7a7e5348
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-8.11.6-167.src.rpm
5c547ec8f50f6fa756e160063076365c
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-tls-8.11.6-169.src.rpm
eb0a06b8a387297463cbccb639e5fb6f
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/sendmail-8.11.3-112.i386.rpm
3bed3854baec797e2ff6d14f9582fcda
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/sendmail-tls-8.11.3-116.i386.rpm
2713adc9c6feecc146a796034b3f7b98
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-8.11.3-112.src.rpm
1b28f2aca4bb0b9231869267cbd4a06d
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-tls-8.11.3-116.src.rpm
352f504b486334537d952aa90b82ac08
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/sendmail-8.11.6-67.sparc.rpm
24c874c51666ca5b9f5ce2a7431af63e
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/sendmail-tls-8.11.6-67.sparc.rpm
5d41fe793f6744e70f6bde005363884c
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-8.11.6-67.src.rpm
7f27980cf2fb11453a80964355aaddbc
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-tls-8.11.6-67.src.rpm
dda3511ac3f95af3623837e19b6a80f6
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/sendmail-8.11.6-126.ppc.rpm
0442e3a7504bb4bb57e896fcd83e80b9
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/sendmail-tls-8.11.6-125.ppc.rpm
cbf8c7e5e9f61c3017ad5d80b7c4c76b
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-8.11.6-126.src.rpm
47031fa3484a66081f623760fcf53dc1
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-tls-8.11.6-125.src.rpm
9ce8128f4847f6fb0d8b0662f3145388
2) Pending vulnerabilities in SuSE Distributions and
Workarounds:
- As already announced in SuSE-SA:2003:038 and SuSE-SA:2003:039,
we are working on update packages for the mysql buffer overflow
vulnerability. The packages will be made available as soon as
possible.
3) standard appendix: authenticity verification, additional
information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:- md5sums as provided in the (cryptographically signed)
announcement. - using the internal gpg signatures of the rpm package.
- execute the command md5sum <name-of-the-file.rpm> after
you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in
the announcement. Since the announcement containing the checksums
is cryptographically signed (usually using the key [email protected]), the checksums show
proof of the authenticity of the package. We disrecommend to
subscribe to security lists which cause the email message
containing the announcement to be modified so that the signature
does not match after transport through the mailing list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless. - rpm package signatures provide an easy way to verify the
authenticity of an rpm package. Use the command rpm -v –checksig
<file.rpm> to verify the signature of the package, where
<file.rpm> is the filename of the rpm package that you have
downloaded. Of course, package authenticity verification can only
target an un-installed rpm package file. Prerequisites:- gpg is installed
- The package is signed using a certain key. The public part of
this key must be installed by the gpg program in the directory
~/.gnupg/ under the user’s home directory who performs the
signature verification (usually root). You can import the key that
is used by SuSE in rpm packages for SuSE Linux by saving this
announcement to a file (“announcement.txt”) and running the command
(do “su -” to be root): gpg –batch; gpg < announcement.txt |
gpg –import SuSE Linux distributions version 7.1 and thereafter
install the key “[email protected]”
upon installation or upgrade, provided that the package gpg is
installed. The file containing the public key is placed at the
top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
.
- md5sums as provided in the (cryptographically signed)
- SuSE runs two security mailing lists to which any interested
party may subscribe:
- general/linux/SuSE security discussion. All SuSE security
announcements are sent to this list. To subscribe, send an email to
- SuSE’s announce-only mailing list. Only SuSE’s security
announcements are sent to this list. To subscribe, send an email to
For general information or the frequently asked questions (faq)
send mail to:
<[email protected]>
or
†<[email protected]>
respectively.
SuSE’s security contact is <[email protected]> or
<[email protected]>. The
<[email protected]>
public key is listed below.
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.
| Type | Bits/KeyID | Date | User ID |
| pub | 2048R/3D25D3D9 | 1999-03-06 | SuSE Security Team <[email protected]> |
| pub | 1024D/9C800ACA | 2000-10-19 | SuSE Package Signing Key <[email protected]> |
Roman Drahtmüller,
SuSE Security.