-----BEGIN PGP SIGNED MESSAGE----- lcamtuf> Sendmail up to recent 8.9.x versions - any user may pass -bi lcamtuf> parameter to /usr/sbin/sendmail. This will result in aliases lcamtuf> database rebuild. IMHO there's no reason to allow such things, but lcamtuf> no matter - something rather stupid is done during rebuild: lcamtuf> 5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6 lcamtuf> What a bad luck! There's approx 0.1 sec delay due to /etc/aliases lcamtuf> processing (on my system). Meantime, luser might deliver any lcamtuf> signals to sendmail process... SIGKILL is quite good. After that, lcamtuf> /etc/aliases.db will be left in unusable state (no EOF marker), lcamtuf> causing DoS: Thank you for bringing this to our attention. We have limited the newaliases command to root and trusted users for 8.10.0.Beta7. We have also deprecated the AutoRebuildAliases option since if set, a similar attack may be possible. We intend to remove the AutoRebuildAliases functionality in a future version. I've included a patch against sendmail 8.9.3 for those who want to protect against this denial of service attack. As always, we encourage mailing bug reports, including documentation or release notes bugs, to sendmail-bugsat_private Security issues can be mailed to sendmail-securityat_private and encrypted with the sendmail-securityat_private PGP key: Type Bits KeyID Created Expires Algorithm Use pub 1024 0x16F4CCE9 1999-06-23 ---------- RSA Sign & Encrypt uid Sendmail Security <sendmail-securityat_private> The sendmail 8.9.3 patch: - --- main.c~orig Sat Jan 9 15:31:13 1999 +++ main.c Wed Nov 17 19:04:44 1999 @@ -984,6 +984,18 @@ usrerr("Permission denied"); finis(FALSE, EX_USAGE); } + if (OpMode == MD_INITALIAS && + RealUid != 0 && + RealUid != TrustedUid && + !wordinclass(RealUserName, 't')) + { + if (LogLevel > 1) + sm_syslog(LOG_ALERT, NOQID, + "user %d attempted to rebuild the alias map", + RealUid); + usrerr("Permission denied"); + finis(FALSE, EX_USAGE); + } if (MeToo) BlankEnvelope.e_flags |= EF_METOO; Note that PGP signing this message changes the first line of the patch by adding a "- " before the "---". Remove the added "- " before trying to apply the patch. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 for non-commercial use Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface Charset: noconv iQCVAwUBODpGtsApykAW9MzpAQHsnwQAgN/vqojM5DgDdJ/Z3+Qs0JunGqIDWlCh ML3+sXam38ZFA+/JgTYM4d1ZSxj+y7LmcN8Z1aLV0r6Ix9Ywkp83Akh9D0zs7sZR 15EbyuHhM2Q+MkPeGMtjhj4E9ptP2EjbqumbOWW+zojn+blWqf0GMjoulXDpk1O3 hTSlXU7zYDM= =WDU8 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:55 PDT