Remote exploit in sendmail 8.8.0

[nobody () cypherpunks ca (John Anonymous MacDonald)]

There is a serious bug in the mime7to8() function of sendmail 8.8.0
which allows anyone who can send you mail to execute arbitrary code as
root on your machine.  I think mime7to8() only gets invoked if you set
the undocumented "9" mailer flag.  However, this flag is set by
default in the cf/mailer/local.m4 file that ships with sendmail
8.8.0.  Thus, if you are using an old V6 format configuration file
from sendmail 8.7, you are probably safe, but if you generated a new
V7 configuration file, you are probably vulnerable to this bug.

========

If you don't want technical details, then here's the short version:

Remove the '9' flag from all mailers in your sendmail.cf file.  Thus,
for instance, if you have the following lines in sendmail.cf:

Mlocal,         P=/bin/mail, F=lsDFMAw5:/|@qSnE9, S=10/30, R=20/40,
                T=DNS/RFC822/X-Unix,
                A=mail -f $g -d $u
Mprog,          P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,
                T=X-Unix,
                A=sh -c $u

Change them to this:

Mlocal,         P=/bin/mail, F=lsDFMAw5:/|@qSnE, S=10/30, R=20/40,
                T=DNS/RFC822/X-Unix,
                A=mail -f $g -d $u
Mprog,          P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40, D=$z:/,
                T=X-Unix,
                A=sh -c $u

If you are using m4 to generate your sendmail.cf file, then you should
add lines like this to your '.mc' file:

define(`LOCAL_MAILER_FLAGS', `rmn')dnl     (default is `rmn9')
define(`LOCAL_SHELL_FLAGS', `eu')dnl       (default is `eu9')

========

Now here are the technical details:

The inner loop of mime7to8() looks like this:

        u_char *obp;
        char buf[MAXLINE];
        u_char obuf[MAXLINE];

        ...

                /* quoted-printable */
                obp = obuf;
                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
                {
                        if (mime_fromqp((u_char *) buf, &obp, 0, MAXLINE) == 0)
                                continue;

                        putline((char *) obuf, mci);
                        obp = obuf;
                }

When mime_fromqp() encounters a line that ends "=\n", it chops those
two characters off and returns 0 to indicate a continuation line.
This causes the while loop to continue, reading another input line and
appending its contents to obuf.  However, when the loop continues
without resetting obp to obuf, there are fewer than MAXLINE characters
left in the output buffer.  This means an attacker can simply create a
very large message in which each line ends with "=".  Eventually obp
will move beyond the end of obuf and start writing almost arbitrary
data to the sendmail process's stack (as long as no bytes are 0).