From cy@cschuber.net.gov.bc.ca Thu Nov 25 05:30:26 1999
Return-Path: <cy@cschuber.net.gov.bc.ca>
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 7850514E0F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Nov 1999 05:30:23 -0800 (PST)
	(envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA11993
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Nov 1999 05:30:22 -0800
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by point.osg.gov.bc.ca, id smtpda11991; Thu Nov 25 05:30:18 1999
Received: (from cy@localhost)
	by cwsys.cwsent.com (8.9.3/8.9.1) id FAA06829;
	Thu, 25 Nov 1999 05:30:16 -0800 (PST)
Message-Id: <199911251330.FAA06829@cwsys.cwsent.com>
Date: Thu, 25 Nov 1999 05:30:16 -0800 (PST)
From: Cy.Schubert@uumail.gov.bc.ca
Sender: cy@cschuber.net.gov.bc.ca
Reply-To: Cy.Schubert@uumail.gov.bc.ca
To: FreeBSD-gnats-submit@freebsd.org
Subject: Sendmail 8.9.3 Patch
X-Send-Pr-Version: 3.2

>Number:         15088
>Category:       bin
>Synopsis:       Sendmail patch
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    gshapiro
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 25 05:40:00 PST 1999
>Closed-Date:    Sat Aug 12 16:28:23 PDT 2000
>Last-Modified:  Sat Aug 12 16:29:04 PDT 2000
>Originator:     Cy Schubert
>Release:        FreeBSD 3.3-STABLE i386
>Organization:
ITSD Province of BC
>Environment:

FreeBSD cwsys 3.3-STABLE FreeBSD 3.3-STABLE #0: Wed Nov 24 18:59:43 PST 1999     root@:/opt2/cvs-330S/src/sys/compile/CWSYS  i386

>Description:

The following was posted on bugtraq:


Date: Mon, 22 Nov 1999 23:48:17 -0800
Reply-To: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
Subject: Re: Sendmail 8.x.x - any user may rebuild aliases database
X-To: Michal Zalewski <lcamtuf@IDS.PL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM, sendmail-bugs@sendmail.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9912122118210.4246-100000@nimue.ids.pl>
X-UIDL: d3d08b1a16cd01ca35681b18bae9ed46

-----BEGIN PGP SIGNED MESSAGE-----

lcamtuf> Sendmail up to recent 8.9.x versions - any user may pass -bi
lcamtuf> parameter to /usr/sbin/sendmail. This will result in aliases
lcamtuf> database rebuild. IMHO there's no reason to allow such things, but
lcamtuf> no matter - something rather stupid is done during rebuild:

lcamtuf> 5366  open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6

lcamtuf> What a bad luck! There's approx 0.1 sec delay due to /etc/aliases
lcamtuf> processing (on my system). Meantime, luser might deliver any
lcamtuf> signals to sendmail process... SIGKILL is quite good. After that,
lcamtuf> /etc/aliases.db will be left in unusable state (no EOF marker),
lcamtuf> causing DoS:

Thank you for bringing this to our attention.  We have limited the
newaliases command to root and trusted users for 8.10.0.Beta7.  We have
also deprecated the AutoRebuildAliases option since if set, a similar
attack may be possible.  We intend to remove the AutoRebuildAliases
functionality in a future version.

I've included a patch against sendmail 8.9.3 for those who want to protect
against this denial of service attack.

As always, we encourage mailing bug reports, including documentation or
release notes bugs, to sendmail-bugs@sendmail.org.  Security issues can be
mailed to sendmail-security@sendmail.org and encrypted with the
sendmail-security@sendmail.org PGP key:

Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x16F4CCE9 1999-06-23 ---------- RSA             Sign & Encrypt
uid  Sendmail Security <sendmail-security@sendmail.org>

The sendmail 8.9.3 patch:

--- main.c~orig	Sat Jan  9 15:31:13 1999
+++ main.c	Wed Nov 17 19:04:44 1999
@@ -984,6 +984,18 @@
 		usrerr("Permission denied");
 		finis(FALSE, EX_USAGE);
 	}
+	if (OpMode == MD_INITALIAS &&
+	    RealUid != 0 &&
+	    RealUid != TrustedUid &&
+	    !wordinclass(RealUserName, 't'))
+	{
+		if (LogLevel > 1)
+			sm_syslog(LOG_ALERT, NOQID,
+				  "user %d attempted to rebuild the alias map",
+				  RealUid);
+ 		usrerr("Permission denied");
+ 		finis(FALSE, EX_USAGE);
+ 	}

 	if (MeToo)
 		BlankEnvelope.e_flags |= EF_METOO;


>How-To-Repeat:

See description.

>Fix:
	
See patch posted by Gregory Shapiro of sendmail.org to BUGTRAQ
above.  It would be nice to have this committed before 3.4 is
released.

You may wish to remove the AutoRebuildAliases option too.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Thu Nov 25 10:54:36 MST 1999 
Responsible-Changed-Why:  
I'll look into this 

From: Peter Wemm <peter@netplex.com.au>
To: Cy.Schubert@uumail.gov.bc.ca
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/15088: Sendmail 8.9.3 Patch 
Date: Fri, 26 Nov 1999 02:15:30 +0800

 Cy.Schubert@uumail.gov.bc.ca wrote:
 > I've included a patch against sendmail 8.9.3 for those who want to protect
 > against this denial of service attack.
 
 > See patch posted by Gregory Shapiro of sendmail.org to BUGTRAQ
 > above.  It would be nice to have this committed before 3.4 is
 > released.
 
 I've committed this to both -current and 3.x-stable.
 
 > You may wish to remove the AutoRebuildAliases option too.
 
 I haven't done this for now as it requires the sysadmin to have edited the
 /etc/aliases file.  We can turn it off by default though in the .cf/.mc's that
 we ship.
 
 Cheers,
 -Peter
 
 
Responsible-Changed-From-To: imp->peter 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sun Jan 16 02:27:45 MST 2000 
Responsible-Changed-Why:  
I think Peter fixed this a while ago.  Over to him for confirmation. 
Responsible-Changed-From-To: peter->gshapiro 
Responsible-Changed-By: gshapiro 
Responsible-Changed-When: Sat Aug 12 10:15:48 PDT 2000 
Responsible-Changed-Why:  
Assigned to sendmail maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=15088 
State-Changed-From-To: open->closed 
State-Changed-By: gshapiro 
State-Changed-When: Sat Aug 12 16:28:23 PDT 2000 
State-Changed-Why:  
sendmail 8.11.0 has been imported into -current.  The new version fixes 
the problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=15088 
>Unformatted:
