Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 299120 (CVE-2009-4565) - <mail-mta/sendmail-8.14.4: X.509 NULL spoofing (CVE-2009-4565)
Summary: <mail-mta/sendmail-8.14.4: X.509 NULL spoofing (CVE-2009-4565)
Alias: CVE-2009-4565
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2009-12-31 14:03 UTC by Alex Legler (RETIRED)
Modified: 2012-06-25 19:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-31 14:03:50 UTC
From the release notes ($URL):

Handle bogus certificates containing NUL characters
in CNs by placing a string indicating a bad certificate
in the {cn_subject} or {cn_issuer} macro.  Patch inspired
by Matthias Andree's changes for fetchmail.

During the generation of a queue identifier an integer overflow
could occur which might result in bogus characters
being used.  Based on patch from John Vannoy of
Pepperdine University.

The value of headers, e.g., Precedence, Content-Type,,
was not processed correctly.  Patch from Per Hedeland.

Between 8.11.7 and 8.12.0 the length limitation on a return
path was erroneously reduced from MAXNAME (256) to
MAXSHORTSTR (203).  Patch from John Gardiner Myers
of Proofpoint; the problem was also noted by Steve
Hubert of University of Washington.

Prevent a crash when a hostname lookup returns a seemingly
valid result which contains a NULL pointer (this seems
to be happening on some Linux versions).

The process title was missing the current load average when
the MTA was delaying connections due to DelayLA.
Patch from Dick St.Peters of NetHeaven.

Do not reset the number of queue entries in shared memory if
only some of them are processed.

Fix overflow of an internal array when parsing some replies
from a milter.  Problem found by Scott Rotondo
of Sun Microsystems.

If STARTTLS is turned off in the server (via M=S) then it
would not be initialized for use in the client either.
Patch from Kazuteru Okahashi of IIJ.

If a Diffie-Hellman cipher is selected for STARTTLS, the
handshake could fail with some TLS implementations
because the prime used by the server is not long enough.
Note: the initialization of the DSA/DH parameters for
the server can take a significant amount of time on slow
machines. This can be turned off by setting DHParameters
to none or a file (see doc/op/  Patch from
Petr Lampa of the Brno University of Technology.

Fix handling of `b' modifier for DaemonPortOptions on little
endian machines for loopback address.  Patch from
John Beck of Sun Microsystems.

Fix a potential memory leak in libsmdb/smdb1.c found by parfait.
Based on patch from Jonathan Gray of OpenBSD.

If a milter sets the reply code to "421" during the transfer
of the body, the SMTP server will terminate the SMTP session
with that error to match the behavior of the other callbacks.

Return EX_IOERR (instead of 0) if a mail submission fails due to
missing disk space in the mail queue.  Based on patch
from Martin Poole of RedHat.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-06 21:03:26 UTC
net-mail, we have 8.14.4 is in tree, is it ok to stabilize?
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 17:45:21 UTC
CVE-2009-4565 (
  sendmail before 8.14.4 does not properly handle a '\0' character in a
  Common Name (CN) field of an X.509 certificate, which (1) allows
  man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers
  via a crafted server certificate issued by a legitimate Certification
  Authority, and (2) allows remote attackers to bypass intended access
  restrictions via a crafted client certificate issued by a legitimate
  Certification Authority, a related issue to CVE-2009-2408.

Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-10 08:43:45 UTC
I take that as a "yes".
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-10 08:45:23 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-10 12:04:41 UTC
x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-01-11 16:03:11 UTC
ppc and ppc64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-13 05:29:04 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-01-13 19:22:57 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 9 Markus Meier gentoo-dev 2010-02-01 19:55:10 UTC
amd64 stable, all arches done.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:16:46 UTC
GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:10:44 UTC
This issue was resolved and addressed in
 GLSA 201206-30 at
by GLSA coordinator Stefan Behte (craig).