Bug 135141 - mail-mta/sendmail malformed MIME multipart messages (CVE-2006-1173)
Bug#: 135141 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: lcars@gentoo.org
Component: Vulnerabilities
URL:  http://www.kb.cert.org/vuls/id/146718
Summary: mail-mta/sendmail malformed MIME multipart messages (CVE-2006-1173)
Keywords:  
Status Whiteboard: B3 [glsa/stable] jaervosz
Opened: 2006-06-01 05:23 0000
Description:   Opened: 2006-06-01 05:23 0000 
CERT reported (VU#146718) a vulnerability in Sendmail (up to 8.13.6) triggered
by
malformed multipart messages, a PoC is available and has been tested.

The issue results in a denial of service condition due to stack space memory
exhaustion. A forked process (not the main daemon) will exit abnormally
and core dump in some cases when triggered with this condition.

The issue can be worked around by limiting the maximum message size accepted
with
the MaxMessageSize option.

This issue will be public Wednesday June 14 at 16:00 UTC 2006.

I'm attaching an ebuild for 8.13.6 with provided patch. This is not likely to
be the only change that will be present in the soon to be released 8.13.7 but
if we manage to get it stable we'll likely able to provide an updated ebuild
before waiting for 8.13.7 ebuild arch stabilization.

------- Comment #1 From Andrea Barisani (RETIRED) 2006-06-01 05:24:41 0000 ------- 
Created an attachment (id=88081) [details]
sendmail-CVE-2006-1173.patch

sendmail patch for CVE-2006-1173

------- Comment #2 From Andrea Barisani (RETIRED) 2006-06-01 05:25:53 0000 ------- 
Created an attachment (id=88082) [details]
sendmail-8.13.6-r1.ebuild

sendmail-8.13.6-r1 ebuild

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-06-01 06:29:53 0000 ------- 
Arch liaisons (sp?), please test and report back if stable, _don't_ commit
anything yet as this is sekrit. Thanks

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-06-01 06:31:10 0000 ------- 
blah, exchanging sparc <-> gustavoz ... I'm an idiot

------- Comment #5 From Mark Loeser 2006-06-01 20:23:05 0000 ------- 
seems sane on x86

------- Comment #6 From Thomas Cort (RETIRED) 2006-06-02 06:05:49 0000 ------- 
looks fine for amd64.

------- Comment #7 From Markus Rothe 2006-06-02 07:14:55 0000 ------- 
looks good on ppc64

------- Comment #8 From Gustavo Zacarias (RETIRED) 2006-06-02 08:36:49 0000 ------- 
Looks ok to me (sparc).

------- Comment #9 From Markus Ullmann 2006-06-02 11:05:31 0000 ------- 
Looking good on arm

------- Comment #10 From Tobias Scherbaum 2006-06-02 13:35:26 0000 ------- 
Looks good on ppc

------- Comment #11 From René Nussbaumer 2006-06-03 02:13:06 0000 ------- 
Looks good on hppa

------- Comment #12 From Sune Kloppenborg Jeppesen 2006-06-10 06:11:04 0000 ------- 
Still missing test on: alpha ia64 s390, of which only alpha is security
supported.

Kloeri please test and report back.

------- Comment #13 From Thomas Cort (RETIRED) 2006-06-10 09:14:56 0000 ------- 
(In reply to comment #12)
> Still missing test on: alpha ia64 s390, of which only alpha is security
> supported.
> 
> Kloeri please test and report back.

I haven't been able to reach kloeri today and jaervosz asked me to test it on
alpha, so I did. Looks good on alpha.

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-06-14 11:47:36 0000 ------- 
Andrea please commit, this is public now.

------- Comment #15 From Wolf Giesen (RETIRED) 2006-06-14 12:22:04 0000 ------- 
Unless anybody can point to arbitrary code execution, this sounds more like a
B3.

------- Comment #16 From Sune Kloppenborg Jeppesen 2006-06-15 01:17:09 0000 ------- 
@Arches please test and mark 8.13.7 stable.

8.13.6-r1 comitted directly to stable.

Upstream release 8.13.7 uses a different patch than 8.13.6-r1 so marking the
upstream stable to be safe.

@Security: This one is theoretically ready for GLSA decision.

I vote YES.

------- Comment #17 From Andrea Barisani (RETIRED) 2006-06-15 01:30:59 0000 ------- 
I vote YES too.

More info here http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc

After committing the ebuilds I tested 8.13.7 and it looks good on x86 and amd
to me (in case this helps).

------- Comment #18 From Sune Kloppenborg Jeppesen 2006-06-15 08:45:57 0000 ------- 
@Security please vote, the draft is ready.

------- Comment #19 From Jochen Maes (RETIRED) 2006-06-15 08:50:07 0000 ------- 
I vote yes for this one.

------- Comment #20 From Stefan Cornelius (RETIRED) 2006-06-15 08:50:41 0000 ------- 
/me says yes

------- Comment #21 From Sune Kloppenborg Jeppesen 2006-06-15 10:15:07 0000 ------- 
GLSA 200606-19

Moving to enhancement for stable marking.

------- Comment #22 From Raphael Marichez 2006-06-19 03:54:10 0000 ------- 
Hi arches,

regarding comment #16, and the 2 errata from sendmail.org / see ebuild
ChangeLog :
  16 Jun 2006; Andrea Barisani <lcars@gentoo.org>
  +files/errata-8.13.7-1.patch, +files/errata-8.13.7-2.patch,
  +sendmail-8.13.7-r1.ebuild:
  Revision bump with 2 errata published by sendmail.org.

please stabilize 8.13.7-r1

Letting in enhancement scope since the GLSA has already been sent.

------- Comment #23 From Gustavo Zacarias (RETIRED) 2006-06-19 14:31:31 0000 ------- 
sparc stable, again!

------- Comment #24 From Joshua Jackson 2006-06-19 21:59:03 0000 ------- 
x86 motivated for now...

------- Comment #25 From Markus Rothe 2006-06-20 10:18:46 0000 ------- 
ppc64 stable

------- Comment #26 From Thomas Cort (RETIRED) 2006-06-20 10:35:54 0000 ------- 
stable on alpha and amd64.

------- Comment #27 From René Nussbaumer 2006-06-24 11:10:09 0000 ------- 
stable on hppa

------- Comment #28 From Tobias Scherbaum 2006-06-24 23:42:18 0000 ------- 
ppc stable

------- Comment #29 From Raphael Marichez 2006-06-25 11:37:18 0000 ------- 
Closing since all "supported" arches are now stable, thanks to all.

s390 & ia64, don't forget to mark stable too when you want to.