First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 125623
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
sendmail_CVE-2006-0058.diff sendmail_CVE-2006-0058.diff patch Thierry Carrez (RETIRED) 2006-03-09 10:25 0000 70.61 KB Details | Diff
sendmail_CVE-2006-0058.diff CVE-2006-0058 patch patch Andrea Barisani (RETIRED) 2006-03-10 06:02 0000 70.88 KB Details | Diff
sendmail-8.13.5-r1.ebuild sendmail-8.13.5-r1.ebuild application/octet-stream Andrea Barisani (RETIRED) 2006-03-10 06:07 0000 6.18 KB Details
sendmail-8.13.5-r1.ebuild sendmail-8.13.5-r1.ebuild text/plain Andrea Barisani (RETIRED) 2006-03-20 01:42 0000 6.54 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 125623 depends on: Show dependency tree
Show dependency graph
Bug 125623 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-03-09 10:23 0000 
From CERT confidential VU#834865:

A race condition in the handling of asynchronous signals in sendmail may allow
a remote attacker to execute arbitrary code with the privileges of sendmail.

This will be made public Wednesday March 22, 2006.

------- Comment #1 From Thierry Carrez (RETIRED) 2006-03-09 10:25:55 0000 ------- 
Created an attachment (id=81781) [edit]
sendmail_CVE-2006-0058.diff

Patch for sendmail 8.13

------- Comment #2 From Thierry Carrez (RETIRED) 2006-03-09 10:27:22 0000 ------- 
lcars: please prepare a new version and attach it for testing here (but do not
commit anything to Portage)

------- Comment #3 From Andrea Barisani (RETIRED) 2006-03-10 05:21:37 0000 ------- 
I'm on it, will post new ebuild asap

------- Comment #4 From Andrea Barisani (RETIRED) 2006-03-10 06:02:13 0000 ------- 
Created an attachment (id=81842) [edit]
CVE-2006-0058 patch

patch with Sendmail Inc. addendum that modifies version.c for with a new
release code

------- Comment #5 From Andrea Barisani (RETIRED) 2006-03-10 06:07:01 0000 ------- 
Created an attachment (id=81843) [edit]
sendmail-8.13.5-r1.ebuild

New 8.13.5-r1 ebuild that applies the patch. All arches are stable in this
ebuild, I'd suggest bumping this one as stable since anyway we didn't get
outstanding
reports for older versions and they are all pretty much the same.

8.13.6 should be out anyway along with the advisory so if timewise we are good
I'll just bump to 8.13.6 so that we don't have to manually include the huge
patch.

Suggestions are welcome.

------- Comment #6 From Thierry Carrez (RETIRED) 2006-03-12 10:29:54 0000 ------- 
Calling arch security liaisons for testing and comments.

------- Comment #7 From Bryan Østergaard (RETIRED) 2006-03-12 11:58:38 0000 ------- 
Looks good on alpha.

------- Comment #8 From Mark Loeser 2006-03-12 12:48:20 0000 ------- 
Looks fine for x86

------- Comment #9 From Markus Rothe 2006-03-12 13:03:20 0000 ------- 
looks good on ppc64

------- Comment #10 From Simon Stelling (RETIRED) 2006-03-12 13:22:42 0000 ------- 
amd64 is fine

------- Comment #11 From Tobias Scherbaum 2006-03-12 13:36:24 0000 ------- 
Looks ok on ppc.

------- Comment #12 From Gustavo Zacarias (RETIRED) 2006-03-13 10:20:29 0000 ------- 
Out of sheer curiosity, why does the ebuild use the new (and masked)
mailer-config? Is this wise?

------- Comment #13 From Gustavo Zacarias (RETIRED) 2006-03-13 10:24:47 0000 ------- 
According to ferdy it's not getting out of p.mask any time soon...

------- Comment #14 From Thierry Carrez (RETIRED) 2006-03-13 10:33:05 0000 ------- 
I agree it's probably unwise to kill two birds with one stone.

------- Comment #15 From Andrea Barisani (RETIRED) 2006-03-13 10:35:12 0000 ------- 
mmh yeah, I forgot about that.

I'll backport this to the old mailer-config supported ebuild, actually that
was the only thing that holds up this revision. It would be nice to get
new mailer-config running soon.

Anyway I'll attach new ebuild asap.

Sorry that I forgot about this.

------- Comment #16 From René Nussbaumer 2006-03-13 12:11:16 0000 ------- 
Looks good on hppa. Sorry for the delay.

------- Comment #17 From Andrea Barisani (RETIRED) 2006-03-20 01:42:57 0000 ------- 
Created an attachment (id=82642) [edit]
sendmail-8.13.5-r1.ebuild

Ok this is the same version of the ebuild I already attached but with the
old mailer-config stuff, maintainers and net-mail team please check if it's ok.

Thx

------- Comment #18 From Andrea Barisani (RETIRED) 2006-03-21 05:30:44 0000 ------- 
Disclosure is set for 11:00 AM EST on March 22.

Please provide feedback on the new ebuild, I'd like to have it commited just
before that date. Thx

------- Comment #19 From Gustavo Zacarias (RETIRED) 2006-03-21 09:15:29 0000 ------- 
Latest ebuild looks sane for sparc.

------- Comment #20 From Gustavo Zacarias (RETIRED) 2006-03-21 09:16:17 0000 ------- 
Oh before i forget, remember to remove (or better aim) the p.mask entry for
sendmail or no one will be able to upgrade.

------- Comment #21 From Mark Loeser 2006-03-21 09:26:40 0000 ------- 
Looks fine for x86 as well.

------- Comment #22 From Andrea Barisani (RETIRED) 2006-03-22 10:54:07 0000 ------- 
This is now public.

8.13.6 commited.

GLSA waiting for review/approval/sending.

------- Comment #23 From Sune Kloppenborg Jeppesen 2006-03-22 11:58:33 0000 ------- 
Thx everyone for the swift work.

GLSA ID:  200603-21

------- Comment #24 From Sune Kloppenborg Jeppesen 2006-03-22 14:02:01 0000 ------- 
*** Bug 127234 has been marked as a duplicate of this bug. ***

------- Comment #25 From David Sparks 2006-03-22 16:55:44 0000 ------- 
*** Bug 127245 has been marked as a duplicate of this bug. ***
First Last Prev Next    No search results available      Search page      Enter new bug