An input validation error in sendmail has been discovered by Cade Cairns of
SecurityFocus. This problem can be exploited by local users to gain root
access. It is not exploitable by remote attackers without shell access.
New packages based on sendmail.8.11.6 have been prepared for Slackware 7.1
and 8.0.
Detailed information about this security problem may be found here:
New procmail packages have been prepared as well, based on procmail-3.21.
The ChangeLog notes that these problems were fixed as of procmail-3.20,
but it's not known how serious they really are:
- SECURITY: don't do unsafe things from signal handlers:
- ignore TRAP when terminating because of a signal
- resolve the host and protocol of COMSAT when it is set
- save the absolute path form of $LASTFOLDER for the comsat
message when it is set
- only use the log buffer if it's safe
WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated packages for Slackware 8.0:
Updated packages for Slackware 7.1:
MD5 SIGNATURES:
---------------
Here are the md5sums for the packages:
Slackware 8.0 packages:
56099f1bce9643e44342711878a7ceb0 ./packages/procmail.tgz
3d03fd648ecf40eed56ff915780fb8ab ./packages/sendmail.tgz
1a13d98a11d0af853893a640909d8958 ./packages/smailcfg.tgz
Slackware 7.1 packages:
121f13cecaaac0efdc1b510b68e6c147 ./packages/procmail.tgz
7c0e57969057ba72e6b59e26aa39de04 ./packages/sendmail.tgz
9e30e9e07fce4001bbf7f330cb2f9d71 ./packages/smailcfg.tgz
INSTALLATION INSTRUCTIONS:
--------------------------
First, kill any existing sendmail processes:
killall -9 sendmail
Then, as root, upgrade the sendmail package with upgradepkg:
upgradepkg sendmail.tgz
Then, restart sendmail:
/usr/sbin/sendmail -bd -q15m
- Slackware Linux Security Team
The Slackware Linux Project
Slackware: 'sendmail' input validation vulnerability
August 27, 2001
This problem can be exploited by local users to gain rootaccess
Summary
Where Find New Packages
MD5 Signatures
Severity
An input validation error in sendmail has been discovered by Cade Cairns of SecurityFocus. This problem can be exploited by local users to gain root access. It is not exploitable by remote attackers without shell access. New packages based on sendmail.8.11.6 have been prepared for Slackware 7.1 and 8.0.
Detailed information about this security problem may be found here:
New procmail packages have been prepared as well, based on procmail-3.21. The ChangeLog notes that these problems were fixed as of procmail-3.20, but it's not known how serious they really are: - SECURITY: don't do unsafe things from signal handlers: - ignore TRAP when terminating because of a signal - resolve the host and protocol of COMSAT when it is set - save the absolute path form of $LASTFOLDER for the comsat message when it is set - only use the log buffer if it's safe
WHERE TO FIND THE NEW PACKAGES: -------------------------------
Updated packages for Slackware 8.0:
Updated packages for Slackware 7.1:
MD5 SIGNATURES: ---------------
Here are the md5sums for the packages:
Slackware 8.0 packages: 56099f1bce9643e44342711878a7ceb0 ./packages/procmail.tgz 3d03fd648ecf40eed56ff915780fb8ab ./packages/sendmail.tgz 1a13d98a11d0af853893a640909d8958 ./packages/smailcfg.tgz
Slackware 7.1 packages: 121f13cecaaac0efdc1b510b68e6c147 ./packages/procmail.tgz 7c0e57969057ba72e6b59e26aa39de04 ./packages/sendmail.tgz 9e30e9e07fce4001bbf7f330cb2f9d71 ./packages/smailcfg.tgz
INSTALLATION INSTRUCTIONS: --------------------------
First, kill any existing sendmail processes:
killall -9 sendmail
Then, as root, upgrade the sendmail package with upgradepkg:
upgradepkg sendmail.tgz
Then, restart sendmail:
/usr/sbin/sendmail -bd -q15m
- Slackware Linux Security Team The Slackware Linux Project
Installation Instructions
News
HOWTOs
Features
About Us
Powered By
