-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2006-010 ================================= Topic: Sendmail race condition Version: NetBSD-current: source prior to March 24, 2006 NetBSD 3.0: affected NetBSD 2.1: affected NetBSD 2.0.*: affected NetBSD 2.0: affected NetBSD 1.6.*: affected NetBSD 1.6: affected pkgsrc: sendmail packages prior to sendmail-8.13.5nb2 sendmail packages prior to sendmail-8.12.11nb2 Severity: Remote code execution with sendmail privileges Fixed: NetBSD-current: March 24, 2006 NetBSD-3-0 branch: March 24, 2006 (3.0.1 will include the fix) NetBSD-3 branch: March 24, 2006 NetBSD-2-1 branch: March 24, 2006 (2.1.1 will include the fix) NetBSD-2-0 branch: March 24, 2006 (2.0.4 will include the fix) NetBSD-2 branch: March 24, 2006 pkgsrc: sendmail-8.13.5nb2 corrects this issue sendmail-8.12.11nb2 corrects this issue Abstract ======== Sendmail is vulnerable to a race condition in the handling of asynchronous signals. This may allow a remote attacker to execute arbitrary code with the privileges of the sendmail user. This vulnerability has been assigned CVE reference CVE-2006-0058. Technical Details ================= Sendmail contains a race condition caused by the improper handling of asynchronous signals. In particular, by forcing the SMTP server to have an I/O timeout at exactly the correct instant, an attacker may be able to execute arbitrary code with the privileges of the Sendmail process. Solutions and Workarounds ========================= Sendmail by default on NetBSD is bound to localhost (127.0.0.0, ::1) and as such is not externally reachable. However, it is recommended that all users of affected versions update their sendmail to include the fix. The following instructions describe how to upgrade your sendmail binaries by updating your source tree and rebuilding and installing a new version of sendmail. * NetBSD-current: Systems running NetBSD-current dated from before 2006-03-23 should be upgraded to NetBSD-current dated 2006-03-24 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): gnu/dist/sendmail/sendmail/collect.c gnu/dist/sendmail/sendmail/conf.c gnu/dist/sendmail/sendmail/deliver.c gnu/dist/sendmail/sendmail/headers.c gnu/dist/sendmail/sendmail/mime.c gnu/dist/sendmail/sendmail/parseaddr.c gnu/dist/sendmail/sendmail/savemail.c gnu/dist/sendmail/sendmail/sendmail.h gnu/dist/sendmail/sendmail/sfsasl.c gnu/dist/sendmail/sendmail/sfsasl.h gnu/dist/sendmail/sendmail/srvrsmtp.c gnu/dist/sendmail/sendmail/tls.c gnu/dist/sendmail/sendmail/usersmtp.c gnu/dist/sendmail/sendmail/util.c gnu/dist/sendmail/sendmail/version.c gnu/dist/sendmail/libsm/fflush.c gnu/dist/sendmail/libsm/local.h gnu/dist/sendmail/libsm/refill.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P gnu/dist/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2006-03-23 should be upgraded from NetBSD 3.* sources dated 2006-03-24 or later. The following files need to be updated from the netbsd-3 or netbsd-3-0 CVS branch: gnu/dist/sendmail/sendmail/collect.c gnu/dist/sendmail/sendmail/conf.c gnu/dist/sendmail/sendmail/deliver.c gnu/dist/sendmail/sendmail/headers.c gnu/dist/sendmail/sendmail/mime.c gnu/dist/sendmail/sendmail/parseaddr.c gnu/dist/sendmail/sendmail/savemail.c gnu/dist/sendmail/sendmail/sendmail.h gnu/dist/sendmail/sendmail/sfsasl.c gnu/dist/sendmail/sendmail/sfsasl.h gnu/dist/sendmail/sendmail/srvrsmtp.c gnu/dist/sendmail/sendmail/tls.c gnu/dist/sendmail/sendmail/usersmtp.c gnu/dist/sendmail/sendmail/util.c gnu/dist/sendmail/sendmail/version.c gnu/dist/sendmail/libsm/fflush.c gnu/dist/sendmail/libsm/local.h gnu/dist/sendmail/libsm/refill.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r gnu/dist/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.*: Systems running NetBSD 2.* sources dated from before 2006-03-23 should be upgraded from NetBSD 2.* sources dated 2006-03-24 or later. The following files need to be updated from the netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch: gnu/dist/sendmail/sendmail/collect.c gnu/dist/sendmail/sendmail/conf.c gnu/dist/sendmail/sendmail/deliver.c gnu/dist/sendmail/sendmail/headers.c gnu/dist/sendmail/sendmail/mime.c gnu/dist/sendmail/sendmail/parseaddr.c gnu/dist/sendmail/sendmail/savemail.c gnu/dist/sendmail/sendmail/sendmail.h gnu/dist/sendmail/sendmail/sfsasl.c gnu/dist/sendmail/sendmail/sfsasl.h gnu/dist/sendmail/sendmail/srvrsmtp.c gnu/dist/sendmail/sendmail/tls.c gnu/dist/sendmail/sendmail/usersmtp.c gnu/dist/sendmail/sendmail/util.c gnu/dist/sendmail/sendmail/version.c gnu/dist/sendmail/libsm/fflush.c gnu/dist/sendmail/libsm/local.h gnu/dist/sendmail/libsm/refill.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r gnu/dist/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= CERT for notification and co-ordination of the issue. Sendmail Consortium for supplying the patches to address the issue. Christos Zoulas for implementing the fixes. Revision History ================ 2006-03-29 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-010.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-010.txt,v 1.5 2006/03/29 19:52:50 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (NetBSD) iQCVAwUBRCsC3D5Ru2/4N2IFAQLgswQAyWsnHHM017c4NP0vvPh6hKn/MYjpZGB7 1meGsumrd3JsPUj4j30GR3RXeqw2Kf0RGOrnwz7aIVibXdX05jxjl+8GpBSU2xkI eZ//s8n7gIe3gvaOTpqLRdBo6mi9aGY0BZhHA7ZoHsW2cQ7JZXnhdl3QzJ3qUQaA D8pG/zZ/cMc= =1u2y -----END PGP SIGNATURE-----