Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125623 - mail-mta/sendmail: potential RCE (CVE-2006-0058)
Summary: mail-mta/sendmail: potential RCE (CVE-2006-0058)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] jaervosz
Keywords:
: 127234 127245 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-03-09 10:23 UTC by Thierry Carrez (RETIRED)
Modified: 2007-05-31 10:55 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sendmail_CVE-2006-0058.diff (sendmail_CVE-2006-0058.diff,70.61 KB, patch)
2006-03-09 10:25 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
CVE-2006-0058 patch (sendmail_CVE-2006-0058.diff,70.88 KB, patch)
2006-03-10 06:02 UTC, Andrea Barisani (RETIRED)
no flags Details | Diff
sendmail-8.13.5-r1.ebuild (sendmail-8.13.5-r1.ebuild,6.18 KB, application/octet-stream)
2006-03-10 06:07 UTC, Andrea Barisani (RETIRED)
no flags Details
sendmail-8.13.5-r1.ebuild (sendmail-8.13.5-r1.ebuild,6.54 KB, text/plain)
2006-03-20 01:42 UTC, Andrea Barisani (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:23:17 UTC
From CERT confidential VU#834865:

A race condition in the handling of asynchronous signals in sendmail may allow
a remote attacker to execute arbitrary code with the privileges of sendmail.

This will be made public Wednesday March 22, 2006.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:25:55 UTC
Created attachment 81781 [details, diff]
sendmail_CVE-2006-0058.diff

Patch for sendmail 8.13
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:27:22 UTC
lcars: please prepare a new version and attach it for testing here (but do not commit anything to Portage)
Comment 3 Andrea Barisani (RETIRED) gentoo-dev 2006-03-10 05:21:37 UTC
I'm on it, will post new ebuild asap
Comment 4 Andrea Barisani (RETIRED) gentoo-dev 2006-03-10 06:02:13 UTC
Created attachment 81842 [details, diff]
CVE-2006-0058 patch

patch with Sendmail Inc. addendum that modifies version.c for with a new release code
Comment 5 Andrea Barisani (RETIRED) gentoo-dev 2006-03-10 06:07:01 UTC
Created attachment 81843 [details]
sendmail-8.13.5-r1.ebuild

New 8.13.5-r1 ebuild that applies the patch. All arches are stable in this ebuild, I'd suggest bumping this one as stable since anyway we didn't get outstanding
reports for older versions and they are all pretty much the same.

8.13.6 should be out anyway along with the advisory so if timewise we are good
I'll just bump to 8.13.6 so that we don't have to manually include the huge patch.

Suggestions are welcome.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-03-12 10:29:54 UTC
Calling arch security liaisons for testing and comments.
 
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2006-03-12 11:58:38 UTC
Looks good on alpha.
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2006-03-12 12:48:20 UTC
Looks fine for x86
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2006-03-12 13:03:20 UTC
looks good on ppc64
Comment 10 Simon Stelling (RETIRED) gentoo-dev 2006-03-12 13:22:42 UTC
amd64 is fine
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2006-03-12 13:36:24 UTC
Looks ok on ppc.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-13 10:20:29 UTC
Out of sheer curiosity, why does the ebuild use the new (and masked) mailer-config? Is this wise?
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-13 10:24:47 UTC
According to ferdy it's not getting out of p.mask any time soon...
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2006-03-13 10:33:05 UTC
I agree it's probably unwise to kill two birds with one stone.
Comment 15 Andrea Barisani (RETIRED) gentoo-dev 2006-03-13 10:35:12 UTC
mmh yeah, I forgot about that.

I'll backport this to the old mailer-config supported ebuild, actually that
was the only thing that holds up this revision. It would be nice to get
new mailer-config running soon.

Anyway I'll attach new ebuild asap.

Sorry that I forgot about this.
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2006-03-13 12:11:16 UTC
Looks good on hppa. Sorry for the delay.
Comment 17 Andrea Barisani (RETIRED) gentoo-dev 2006-03-20 01:42:57 UTC
Created attachment 82642 [details]
sendmail-8.13.5-r1.ebuild

Ok this is the same version of the ebuild I already attached but with the
old mailer-config stuff, maintainers and net-mail team please check if it's ok.

Thx
Comment 18 Andrea Barisani (RETIRED) gentoo-dev 2006-03-21 05:30:44 UTC
Disclosure is set for 11:00 AM EST on March 22.

Please provide feedback on the new ebuild, I'd like to have it commited just before that date. Thx
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-21 09:15:29 UTC
Latest ebuild looks sane for sparc.
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-21 09:16:17 UTC
Oh before i forget, remember to remove (or better aim) the p.mask entry for sendmail or no one will be able to upgrade.
Comment 21 Mark Loeser (RETIRED) gentoo-dev 2006-03-21 09:26:40 UTC
Looks fine for x86 as well.
Comment 22 Andrea Barisani (RETIRED) gentoo-dev 2006-03-22 10:54:07 UTC
This is now public.

8.13.6 commited.

GLSA waiting for review/approval/sending.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 11:58:33 UTC
Thx everyone for the swift work.

GLSA ID:  200603-21
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 14:02:01 UTC
*** Bug 127234 has been marked as a duplicate of this bug. ***
Comment 25 David Sparks 2006-03-22 16:55:44 UTC
*** Bug 127245 has been marked as a duplicate of this bug. ***