Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 125623

Summary: mail-mta/sendmail: potential RCE (CVE-2006-0058)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: blubb, corsair, davidsparks, dertobi123, gustavoz, halcy0n, killerfox, sfromm
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
sendmail_CVE-2006-0058.diff
none
CVE-2006-0058 patch
none
sendmail-8.13.5-r1.ebuild
none
sendmail-8.13.5-r1.ebuild none

Description Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:23:17 UTC 
From CERT confidential VU#834865:

A race condition in the handling of asynchronous signals in sendmail may allow
a remote attacker to execute arbitrary code with the privileges of sendmail.

This will be made public Wednesday March 22, 2006.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:25:55 UTC 
Created attachment 81781 [details, diff]
sendmail_CVE-2006-0058.diff

Patch for sendmail 8.13
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:27:22 UTC 
lcars: please prepare a new version and attach it for testing here (but do not commit anything to Portage)
Comment 3 Andrea Barisani (RETIRED) gentoo-dev 2006-03-10 05:21:37 UTC 
I'm on it, will post new ebuild asap
Comment 4 Andrea Barisani (RETIRED) gentoo-dev 2006-03-10 06:02:13 UTC 
Created attachment 81842 [details, diff]
CVE-2006-0058 patch

patch with Sendmail Inc. addendum that modifies version.c for with a new release code
Comment 5 Andrea Barisani (RETIRED) gentoo-dev 2006-03-10 06:07:01 UTC 
Created attachment 81843 [details]
sendmail-8.13.5-r1.ebuild

New 8.13.5-r1 ebuild that applies the patch. All arches are stable in this ebuild, I'd suggest bumping this one as stable since anyway we didn't get outstanding
reports for older versions and they are all pretty much the same.

8.13.6 should be out anyway along with the advisory so if timewise we are good
I'll just bump to 8.13.6 so that we don't have to manually include the huge patch.

Suggestions are welcome.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-03-12 10:29:54 UTC 
Calling arch security liaisons for testing and comments.
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2006-03-12 11:58:38 UTC 
Looks good on alpha.
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2006-03-12 12:48:20 UTC 
Looks fine for x86
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2006-03-12 13:03:20 UTC 
looks good on ppc64
Comment 10 Simon Stelling (RETIRED) gentoo-dev 2006-03-12 13:22:42 UTC 
amd64 is fine
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2006-03-12 13:36:24 UTC 
Looks ok on ppc.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-13 10:20:29 UTC 
Out of sheer curiosity, why does the ebuild use the new (and masked) mailer-config? Is this wise?
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-13 10:24:47 UTC 
According to ferdy it's not getting out of p.mask any time soon...
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2006-03-13 10:33:05 UTC 
I agree it's probably unwise to kill two birds with one stone.
Comment 15 Andrea Barisani (RETIRED) gentoo-dev 2006-03-13 10:35:12 UTC 
mmh yeah, I forgot about that.

I'll backport this to the old mailer-config supported ebuild, actually that
was the only thing that holds up this revision. It would be nice to get
new mailer-config running soon.

Anyway I'll attach new ebuild asap.

Sorry that I forgot about this.
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2006-03-13 12:11:16 UTC 
Looks good on hppa. Sorry for the delay.
Comment 17 Andrea Barisani (RETIRED) gentoo-dev 2006-03-20 01:42:57 UTC 
Created attachment 82642 [details]
sendmail-8.13.5-r1.ebuild

Ok this is the same version of the ebuild I already attached but with the
old mailer-config stuff, maintainers and net-mail team please check if it's ok.

Thx
Comment 18 Andrea Barisani (RETIRED) gentoo-dev 2006-03-21 05:30:44 UTC 
Disclosure is set for 11:00 AM EST on March 22.

Please provide feedback on the new ebuild, I'd like to have it commited just before that date. Thx
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-21 09:15:29 UTC 
Latest ebuild looks sane for sparc.
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-21 09:16:17 UTC 
Oh before i forget, remember to remove (or better aim) the p.mask entry for sendmail or no one will be able to upgrade.
Comment 21 Mark Loeser (RETIRED) gentoo-dev 2006-03-21 09:26:40 UTC 
Looks fine for x86 as well.
Comment 22 Andrea Barisani (RETIRED) gentoo-dev 2006-03-22 10:54:07 UTC 
This is now public.

8.13.6 commited.

GLSA waiting for review/approval/sending.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 11:58:33 UTC 
Thx everyone for the swift work.

GLSA ID:  200603-21
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 14:02:01 UTC 
*** Bug 127234 has been marked as a duplicate of this bug. ***
Comment 25 David Sparks 2006-03-22 16:55:44 UTC 
*** Bug 127245 has been marked as a duplicate of this bug. ***