OpenBSD Journal

y Patch 005: Sendmail

Contributed by jose on from the MTA-security dept.

It's been a busy week for those of you keeping up on your patches. This latest one is in Sendmail, in the function prescan(), and was found by Michal Zalewski . You can find the patch on the FTP servers and rebuild your Sendmail, as directed in the patch. No security-announce mail yet, I just saw the patch get checked in and uploaded. This applies to OpenBSD 3.3 and 3.2 (see Patch 018 ).
UPDATE Todd Miller has posted an announcement to security-announce about this issue.

(Comments are closed)

  1. By Anonymous Coward () on

    For those of you considering upgrade to 3.4, now is the time to do it. The new bugs are fixed in 3.4 already.

    1. By Anonymous Coward () on

      Hmmm... And maybe install postfix too. This gets old.

    2. By Anonymous Coward () on

      From the advisory:

      Note that this is the second revision of the patch that includes
      an unrelated (and less critical) fix from Sendmail 8.12.10. That
      fix is not included in OpenBSD 3.4 or the 3.4 snapshots as it
      can only be triggered by non-standard rulesets.

      1. By gwyllion () on

        I find this rather strange. Why didn't they just upgrade to 8.2.10 in OpenBSD 3.4 as well?

        1. By Anonymous Coward () on

          'cuz it came out too close to 3.4, so there was not enough time to test it

          1. By Anonymous Coward () on

            Is OpenSSH 3.7.1 in 3.4?

            1. By Anonymous Coward () on


              1. By Anonymous Coward () on

                Read this . OpenBSD-3.4 does NOT include OpenSSH-3.7.1.

                1. By gwyllion () on

                  Bull shit. Read this .

  2. By Anonymous Coward () on

    no offense to the sendmail people..but damn. ;)

    1. By Anonymous Coward () on

      How come there are so many serious security holes in major MTAs?

      I'm looking forward to see sendmail-9.

      1. By tedu () on

        they have to do a lot of work. by definition, some of it has to run as root. all its input comes from untrusted users over the network. it has to parse and rewrite that input, which may or may not conform to the rfc format sendmail is expecting.

      2. By Anonymous Coward () on

        The accuracy of your statement hinges on your definition of "major MTAs". There really aren't (m)any serious security holes in a number of MTAs.

      3. By Steph L () on

        You can already help/propose ideas/code to the sendmail folks who are preparing sendmail 9

        People with time & knowledge can push ideas
        and make it better ...
        Sendmail 9 is likely to be as good as Postfix ...

  3. By Juanjo () on

    I do binary updates in order to *fix* all my OpenBSD systems.

    $ DESTDIR=/tmp/fake/ make install does the trick (well, you need to create needed directories into /tmp/fake or make install will fail).

    After that I create a tgz from that fake contents and I install it in the affected systems like a base set (tar xvfzp -.tgz from /).

    It's about 20 minutes each binary update, but I wonder why OpenBSD does not release official binary updates together with the source patch, at least for maintained releases.

    Since you need to apply source patches and recompile, seems OpenBSD it's not a good choice to be as development system (if you keep in mind other UNIX-like can do the work with a simpe apt-get update && apt-get upgrade or whatever).

  4. By Teeeo () on

    I'd like to reiterate that sendmail is not enabled by default on OpeneBSD.

    1. By Brian () on

      Sendmail is enabled by default on openbsd, but it only listens on the local interface. A vulnerability in sendmail has the potential to allow local users to gain root and could be used to break out of a privsep/chroot jail. No one has said either way on this one, so I advise you patch even if you are only running sendmail in the default configuration and have no local users.

      1. By gustavo () on

        Could be used by someone with priv elevation in
        mind. Hopefully we are testing systrace all around some servers and soon release something
        to "public".
        Stay tuned and take a look at it(systrace), every
        comment is welcome.

        P.S.: idea behind systrace is another level of
        help and not advocate "instant security".

  5. By Arrigo Triulzi () on

    Yep, as usual, for those who are still running OpenBSD 3.0 and can't upgrade...

    The patch for 3.2 does not patch cleanly but the only reject is an

    int maxatom;

    which needs to be added at the begging of function buildaddr() in parseaddr.c:1833.

    The actual output from the patching is:

    Patching file gnu/usr.sbin/sendmail/sendmail/parseaddr.c using Plan A...
    Hunk #1 succeeded at 666 (offset -34 lines).
    Hunk #2 succeeded at 1003 (offset -1 lines).
    Hunk #3 failed at 1871.
    Hunk #4 succeeded at 1852 (offset -35 lines).
    Hunk #5 succeeded at 1910 (offset -17 lines).
    Hunk #6 succeeded at 1918 (offset -35 lines).
    Hunk #7 succeeded at 2037 (offset -21 lines).
    Hunk #8 succeeded at 2054 (offset -35 lines).
    1 out of 8 hunks failed--saving rejects to gnu/usr.sbin/sendmail/sendmail/parseaddr.c.rej

    (notice the offsets).


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]