Bugtraq mailing list archives
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
From: Claus Assmann <ca+bugtraq () zardoc endmail org>
Date: Thu, 23 Mar 2006 19:08:37 -0800
On Thu, Mar 23, 2006, Gadi Evron wrote:
To begin with, anyone noticed the memory leak they (Sendmail) silently patched?
Hmm, which one? Please read the code carefully and tell me where the leak is (was).
Second, the Integer Overflow is practical, not theoretical.
It is avoided by the standard configuration.
They say it's a remote code execution. They say it's a race condition. No real data available to speak of. I can't see how it's remotely exploitable, but well, no details, remember? From what we can see it seems
Ask ISS about the exploit. It definitely is a programming bug, just read the man page for setjmp() on an OpenBSD system.
What they did behind the smoke-screen is replace a lot of setjmp() and
Which "smoke-screen"?
longjmp() functions (not very secure ones at that) with goto's (interesting choice).
What's interesting about that? if (function-call == failed) goto error-handler; seems like a common way to deal with "fatal" errors (and an I/O error in an SMTP server means you have to abort the connection). How do you deal with errors?
The int overflow is possibly exploitable, not very sure about the
First you have to turn off the default limit.
jumps. No idea why ISS says the Race Condition is, would love insight.
Ask ISS.
Sendmail's announcement ----------------------- Obscure. Not worth any other comments other than the ones above.
What's obscure about http://www.sendmail.org/8.13.6.html ?
Not to mention the silently patched memory leak.
Please check your facts.
It took Sendmail a mounth to fix this. A mounth.
No. It took sendmail a week to fix this. The rest of the time was used to coordinate the release with all the involved vendors etc. Can you do me a favor? Next time you want to spread information about a "memory leak" or something similar: contact the author(s) first. See sendmail.org's website. PS: I don't speak for anyone but me.
Current thread:
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), (continued)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Pim van Riezen (Mar 27)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Florian Weimer (Mar 27)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Casper . Dik (Mar 28)
- RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Michael A Fusaro II (Mar 25)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Casper . Dik (Mar 25)