CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail �� CERT

		�� \| �� \| �� \| �� \| ��
		�� \| �� \| �� \| �� \| ��
		��

CERT Advisory CA-2003-07
Remote Buffer Overflow in Sendmail

�� CERT CA-2003-07
³�� Sendmail

�� : March 3, 2003 �� : --
��: CERT/CC

�� .

��

Sendmail Pro (�� )
Sendmail Switch 2.1 prior to 2.1.5
Sendmail Switch 2.2 prior to 2.2.5
Sendmail Switch 3.0 prior to 3.0.3
Sendmail for NT 2.X prior to 2.6.2
Sendmail for NT 3.0 prior to 3.0.3
��, �� sendmail � �� 8.12.8, �� UNIX �� Linux

��

�� sendmail, �� sendmail (� �� - �� root).

I. ��

�� Internet Security Systems (ISS) �� sendmail, �� . �� sendmail.

�� (mail transfer agents -- MTA, ��.) � ��  ��, � �� . �� sendmail � �� MTA, �� sendmail. ��, �� UNIX �� Linux �� sendmail, �� .

�� '�� . �� , �� , � �� . �� , �� MTA, �� , �� MTA, �� . �� , �� sendmail � �� (�� ) ��-�� , �� , �� sendmail �� . ��, �� , �� (firewall).

Sendmail �� CERT/CC, �� . �� , �� . ��, �� , ��, �� .

�� sendmail �� . ��, �� , �� :

Dropped invalid comments from header address

�� , �� .

�� sendmail � �� , �� .

� CERT/CC �� VU#398025. �� CVE CAN-2002-1337.

�� :

       http://www.sendmail.org
       http://www.sendmail.org/8.12.8.html
       http://www.sendmail.com/security/
       http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
       http://www.kb.cert.org/vuls/id/398025

II. ĳ�

�� , � �� sendmail, �� root. �� .

III. ��

�� Sendmail

Sendmail �� 8.9, 8.10, 8.11, �� 8.12. �� . �� , �� 8.12.8. ��

       ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch
       ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch
       ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch

��

�� sendmail �� . �� , �� VU#398025. ʳ�� , �� .

�� RunAsUser

�� . �� , �� , �� RunAsUser �� . �� CERT/CC �� , �� .

�� A. - ��

�� . �� , �� CERT/CC, �� . �� , �� , �� .

Apple Computer, Inc.

�� Security Update 2003-03-03. �� Mac OS X 10.1.5 � Mac OS X 10.2.4. �� , �� Mac OS X sendmail �� , �� , �� sendmail �� . ��, �� Mac OS X �� .

Avaya, Inc.

Avaya �� . �� , �� .

BSD/OS

Wind River Systems �� , �� . �� . ��, �� : M500-006 �� BSD/OS �� 5.0 �� Wind River Platform for Server Appliances 1.0, M431-002 �� BSD/OS 4.3.1, �� M420-032 �� BSD/OS 4.2.

Cisco Systems

Cisco �� . �� , �� , �� : http://www.cisco.com/go/psirt

Cray Inc.

��, �� Cray, Inc. � �� Unicos, Unicos/mk, and Unicos/mp �� . Cray �� SPRs 724749 � 724750 �� .

Cray, Inc. �� MTA.

Hewlett-Packard Company

SOURCE:

            Hewlett-Packard Company
            HP Services
            Software Security Response Team

x-ref: SSRT3469 sendmail

HP �� HP.

IBM Corporation

�� AIX �� 4.3.3, 5.1.0 � 5.2.0 �� sendmail.

�� efix, ��
ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z

IBM �� :

          APAR ����� ���    AIX  4.3.3:  IY40500  (���� ������ �����.
          03/12/2003)
          APAR ����� ���    AIX  5.1.0:  IY40501  (���� ������ �����.
          04/28/2003)
          APAR ����� ���    AIX  5.2.0:  IY40502  (���� ������ �����.
          04/28/2003)

Openwall GNU/*/Linux

�� Openwall GNU/*/Linux �� . �� MTA Postfix, � �� sendmail.

Red Hat Inc.

�� sendmail, �� Red Hat Linux, Red Hat Advanced Server � Red Hat Advanced Workstation. �� Red Hat Network �� 'up2date'.

Red Hat Linux:

http://rhn.redhat.com/errata/RHSA-2003-073.html

Red Hat Linux Advanced Server, Advanced Workstation:

http://rhn.redhat.com/errata/RHSA-2003-074.html

SGI

SGI �� VU#398025 �� CERT � �� '�� IRIX.

�� SGI Security Advisory (�� SGI) 20030301-01-P �� ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P �� http://www.sgi.com/support/security/.

The Sendmail Consortium

�� Sendmail Consortium �� sendmail �� 8.12.8 �� . ��, �� 8.9, 8.10, 8.11, � 8.12 �� http://www.sendmail.org/

Sendmail, Inc.

�� , �� Sendmail Switch, Sendmail Advanced Message Server (�� Sendmail Switch MTA), Sendmail for NT, � Sendmail Pro �� . �� http://www.sendmail.com/security.

�� Internet Security Systems, Inc. �� (Eric Allman), �� (Claus Assmann) � �� (Greg Shapiro) � Sendmail �� . �� .

��: Jeffrey P. Lanza � Shawn V. Hernan

This document is available from:
http://www.cert.org/advisories/CA-2003-07.html

�� CERT/CC

Email: [email protected]

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

�� CERT/CC �� "�� " 08:00-17:00 EST(GMT-5) / EDT(GMT-4) � �� '��; �� , �� .

��

�� , �� . �� PGP �� :

http://www.cert.org/CERT_PGP.key

�� DES, �� , �� "�� " CERT �� .

��

�� CERT �� http://www.cert.org/

�� CERT �� [email protected]. �� , ��

subscribe cert-advisory

"CERT" and "CERT Coordination Center" �� .

�� Ҳ�
�� 崳 �� (Carnegie Mellon University and the Software Engineering Institute) �� "�� ". �� 崳 �� , �� , �� , �� , �� . �� 崳 �� , �� .

�� , ��

��
Mar 03, 2003: ��

�� : �� ,

2003 ��, 3 ��.

��

[an error occurred while processing this directive]

CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail

������������ CERT CA-2003-07 ³������� ������������ ������ � Sendmail

CERT Advisory CA-2003-07
Remote Buffer Overflow in Sendmail

�� CERT CA-2003-07
³�� Sendmail