From CERT confidential VU#834865: A race condition in the handling of asynchronous signals in sendmail may allow a remote attacker to execute arbitrary code with the privileges of sendmail. This will be made public Wednesday March 22, 2006.
Created attachment 81781 [details, diff] sendmail_CVE-2006-0058.diff Patch for sendmail 8.13
lcars: please prepare a new version and attach it for testing here (but do not commit anything to Portage)
I'm on it, will post new ebuild asap
Created attachment 81842 [details, diff] CVE-2006-0058 patch patch with Sendmail Inc. addendum that modifies version.c for with a new release code
Created attachment 81843 [details] sendmail-8.13.5-r1.ebuild New 8.13.5-r1 ebuild that applies the patch. All arches are stable in this ebuild, I'd suggest bumping this one as stable since anyway we didn't get outstanding reports for older versions and they are all pretty much the same. 8.13.6 should be out anyway along with the advisory so if timewise we are good I'll just bump to 8.13.6 so that we don't have to manually include the huge patch. Suggestions are welcome.
Calling arch security liaisons for testing and comments.
Looks good on alpha.
Looks fine for x86
looks good on ppc64
amd64 is fine
Looks ok on ppc.
Out of sheer curiosity, why does the ebuild use the new (and masked) mailer-config? Is this wise?
According to ferdy it's not getting out of p.mask any time soon...
I agree it's probably unwise to kill two birds with one stone.
mmh yeah, I forgot about that. I'll backport this to the old mailer-config supported ebuild, actually that was the only thing that holds up this revision. It would be nice to get new mailer-config running soon. Anyway I'll attach new ebuild asap. Sorry that I forgot about this.
Looks good on hppa. Sorry for the delay.
Created attachment 82642 [details] sendmail-8.13.5-r1.ebuild Ok this is the same version of the ebuild I already attached but with the old mailer-config stuff, maintainers and net-mail team please check if it's ok. Thx
Disclosure is set for 11:00 AM EST on March 22. Please provide feedback on the new ebuild, I'd like to have it commited just before that date. Thx
Latest ebuild looks sane for sparc.
Oh before i forget, remember to remove (or better aim) the p.mask entry for sendmail or no one will be able to upgrade.
Looks fine for x86 as well.
This is now public. 8.13.6 commited. GLSA waiting for review/approval/sending.
Thx everyone for the swift work. GLSA ID: 200603-21
*** Bug 127234 has been marked as a duplicate of this bug. ***
*** Bug 127245 has been marked as a duplicate of this bug. ***