---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated sendmail packages fix critical security issues
Advisory ID: RHSA-2003:073-06
Issue date: 2003-02-07
Updated on: 2003-03-03
Product: Red Hat Linux
Keywords: sendmail smrsh security bug
Cross references:
Obsoletes: RHSA-2002:106
CVE Names: CAN-2002-1337
---------------------------------------------------------------------
1. Topic:
Updated Sendmail packages are available to fix a vulnerability that
may allow remote attackers to gain root privileges by sending a
carefully crafted message.
These packages also fix a security bug if sendmail is configured to use smrsh.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
3. Problem description:
Sendmail is a widely used Mail Transport Agent (MTA) which is included
in all Red Hat Linux distributions.
During a code audit of Sendmail by ISS, a critical vulnerability was
uncovered that affects unpatched versions of Sendmail prior to version
8.12.8. A remote attacker can send a carefully crafted email message
which, when processed by sendmail, causes arbitrary code to be
executed as root.
We are advised that a proof-of-concept exploit is known to exist, but
is not believed to be in the wild.
Since this is a message-based vulnerability, MTAs other than Sendmail
may pass on the carefully crafted message. This means that unpatched
versions of Sendmail inside a network could still be at risk even if
they do not accept external connections directly.
In addition, the restricted shell (SMRSH) in Sendmail allows attackers to
bypass the intended restrictions of smrsh by inserting additional commands
after "||" sequences or "/" characters, which are not properly filtered or
verified. A sucessful attack would allow an attacker who has a local
account on a system which has explicitly enabled smrsh to execute arbitrary
binaries as themselves by utilizing their .forward file.
All users are advised to update to these erratum packages. For Red Hat
Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable
to these issues. For all other distributions we have included a backported
patch which corrects these vulnerabilities.
Red Hat would like to thank Eric Allman for his assistance with this
vulnerability.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm
6. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm
71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm
3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm
ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm
e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm
f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm
e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm
c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm
ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm
c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm
c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm
6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm
f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm
2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm
854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm
dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm
92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm
d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm
722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm
e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm
70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm
8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm
16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm
2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm
ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm
f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm
d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm
5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm
29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm
8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm
55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm
87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm
d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://www.cert.org/advisories/CA-2003-07.html
http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337
8. Contact:
The Red Hat security contact is <securityat_private>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 09:28:11 PST