Re: Sendmail 8.7, 8.7.1

[spew () J51 COM (SnoCrash)]

On Tue, 10 Oct 1995, Casper Dik wrote:

> > Who knows what the root-shell-giving security hole is in Sendmail 8.6.12
> > that was incompletely patched in 8.7, and (supposedly) finally patched
> > in 8.7.1?
>
> It's just syslog() overruning the stack again.  There's also another problem
> which causes the datas segment to be overrun, but that's not as easy
> to abuse (if at all).

There also seems to be some sort of problem with body types.
The following is quoted from the the Sendmail 8.7.1 RELEASE_NOTES file:

"Fix a problem that might cause a non-standard -B (body type)
        parameter to be passed to the next server with undefined
        results.  This could have security implications."

Anyone have a clue as to what these "Security Implications" are?
The patch included follows... pretty easy to understand.

<begin patch to src/main.c>
***************
*** 789,795 ****
        else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0)
                SevenBitInput = FALSE;
        else
!               usrerr("Illegal body type %s", optarg);

        /* Enforce use of local time (null string overrides this) */
        if (TimeZoneSpec == NULL)
--- 789,798 ----
        else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0)
                SevenBitInput = FALSE;
        else
!       {
!               usrerr("Illegal body type %s", CurEnv->e_bodytype);
!               CurEnv->e_bodytype = NULL;
!       }

        /* Enforce use of local time (null string overrides this) */
        if (TimeZoneSpec == NULL)

<end patch>

I haven't had time to play around with body types yet, although this bug
seems to be patched, we can never be sure with sendmail. :)