Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135141 - mail-mta/sendmail malformed MIME multipart messages (CVE-2006-1173)
Summary: mail-mta/sendmail malformed MIME multipart messages (CVE-2006-1173)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/146718
Whiteboard: B3 [glsa/stable] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-01 05:23 UTC by Andrea Barisani (RETIRED)
Modified: 2007-06-24 23:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sendmail-CVE-2006-1173.patch (sendmail-CVE-2006-1173.patch,1.45 KB, patch)
2006-06-01 05:24 UTC, Andrea Barisani (RETIRED)
no flags Details | Diff
sendmail-8.13.6-r1.ebuild (sendmail-8.13.6-r1.ebuild,6.50 KB, patch)
2006-06-01 05:25 UTC, Andrea Barisani (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Barisani (RETIRED) gentoo-dev 2006-06-01 05:23:53 UTC
CERT reported (VU#146718) a vulnerability in Sendmail (up to 8.13.6) triggered by
malformed multipart messages, a PoC is available and has been tested.

The issue results in a denial of service condition due to stack space memory
exhaustion. A forked process (not the main daemon) will exit abnormally
and core dump in some cases when triggered with this condition.

The issue can be worked around by limiting the maximum message size accepted with
the MaxMessageSize option.

This issue will be public Wednesday June 14 at 16:00 UTC 2006.

I'm attaching an ebuild for 8.13.6 with provided patch. This is not likely to
be the only change that will be present in the soon to be released 8.13.7 but
if we manage to get it stable we'll likely able to provide an updated ebuild
before waiting for 8.13.7 ebuild arch stabilization.
Comment 1 Andrea Barisani (RETIRED) gentoo-dev 2006-06-01 05:24:41 UTC
Created attachment 88081 [details, diff]
sendmail-CVE-2006-1173.patch

sendmail patch for CVE-2006-1173
Comment 2 Andrea Barisani (RETIRED) gentoo-dev 2006-06-01 05:25:53 UTC
Created attachment 88082 [details, diff]
sendmail-8.13.6-r1.ebuild

sendmail-8.13.6-r1 ebuild
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-01 06:29:53 UTC
Arch liaisons (sp?), please test and report back if stable, _don't_ commit anything yet as this is sekrit. Thanks
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-01 06:31:10 UTC
blah, exchanging sparc <-> gustavoz ... I'm an idiot
Comment 5 Mark Loeser (RETIRED) gentoo-dev 2006-06-01 20:23:05 UTC
seems sane on x86
Comment 6 Thomas Cort (RETIRED) gentoo-dev 2006-06-02 06:05:49 UTC
looks fine for amd64.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2006-06-02 07:14:55 UTC
looks good on ppc64
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-02 08:36:49 UTC
Looks ok to me (sparc).
Comment 9 Markus Ullmann (RETIRED) gentoo-dev 2006-06-02 11:05:31 UTC
Looking good on arm
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-02 13:35:26 UTC
Looks good on ppc
Comment 11 René Nussbaumer (RETIRED) gentoo-dev 2006-06-03 02:13:06 UTC
Looks good on hppa
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-10 06:11:04 UTC
Still missing test on: alpha ia64 s390, of which only alpha is security supported.

Kloeri please test and report back.
Comment 13 Thomas Cort (RETIRED) gentoo-dev 2006-06-10 09:14:56 UTC
(In reply to comment #12)
> Still missing test on: alpha ia64 s390, of which only alpha is security
> supported.
> 
> Kloeri please test and report back.

I haven't been able to reach kloeri today and jaervosz asked me to test it on alpha, so I did. Looks good on alpha.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-14 11:47:36 UTC
Andrea please commit, this is public now.
Comment 15 Wolf Giesen (RETIRED) gentoo-dev 2006-06-14 12:22:04 UTC
Unless anybody can point to arbitrary code execution, this sounds more like a B3.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-15 01:17:09 UTC
@Arches please test and mark 8.13.7 stable.

8.13.6-r1 comitted directly to stable.

Upstream release 8.13.7 uses a different patch than 8.13.6-r1 so marking the upstream stable to be safe.

@Security: This one is theoretically ready for GLSA decision.

I vote YES.
Comment 17 Andrea Barisani (RETIRED) gentoo-dev 2006-06-15 01:30:59 UTC
I vote YES too.

More info here http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc

After committing the ebuilds I tested 8.13.7 and it looks good on x86 and amd to me (in case this helps).
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-15 08:45:57 UTC
@Security please vote, the draft is ready.
Comment 19 Jochen Maes (RETIRED) gentoo-dev 2006-06-15 08:50:07 UTC
I vote yes for this one.
Comment 20 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-15 08:50:41 UTC
/me says yes
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-15 10:15:07 UTC
GLSA 200606-19

Moving to enhancement for stable marking.
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-19 03:54:10 UTC
Hi arches,

regarding comment #16, and the 2 errata from sendmail.org / see ebuild ChangeLog :
  16 Jun 2006; Andrea Barisani <lcars@gentoo.org>
  +files/errata-8.13.7-1.patch, +files/errata-8.13.7-2.patch,
  +sendmail-8.13.7-r1.ebuild:
  Revision bump with 2 errata published by sendmail.org.

please stabilize 8.13.7-r1

Letting in enhancement scope since the GLSA has already been sent.
Comment 23 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-19 14:31:31 UTC
sparc stable, again!
Comment 24 Joshua Jackson (RETIRED) gentoo-dev 2006-06-19 21:59:03 UTC
x86 motivated for now...
Comment 25 Markus Rothe (RETIRED) gentoo-dev 2006-06-20 10:18:46 UTC
ppc64 stable
Comment 26 Thomas Cort (RETIRED) gentoo-dev 2006-06-20 10:35:54 UTC
stable on alpha and amd64.
Comment 27 René Nussbaumer (RETIRED) gentoo-dev 2006-06-24 11:10:09 UTC
stable on hppa
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-24 23:42:18 UTC
ppc stable
Comment 29 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-25 11:37:18 UTC
Closing since all "supported" arches are now stable, thanks to all.

s390 & ia64, don't forget to mark stable too when you want to.