lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060324030837.GC6817@zardoc.esmtp.org>
Date: Thu, 23 Mar 2006 19:08:37 -0800
From: Claus Assmann <ca+bugtraq@...doc.endmail.org>
To: bugtraq@...urityfocus.com
Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)


On Thu, Mar 23, 2006, Gadi Evron wrote:

> To begin with, anyone noticed the memory leak they (Sendmail) silently
> patched?

Hmm, which one? Please read the code carefully and tell me where
the leak is (was).

> Second, the Integer Overflow is practical, not theoretical.

It is avoided by the standard configuration.

> They say it's a remote code execution. They say it's a race condition. No
> real data available to speak of. I can't see how it's remotely
> exploitable, but well, no details, remember? From what we can see it seems

Ask ISS about the exploit. It definitely is a programming bug,
just read the man page for setjmp() on an OpenBSD system.

> What they did behind the smoke-screen is replace a lot of setjmp() and

Which "smoke-screen"?

> longjmp() functions (not very secure ones at that) with goto's
> (interesting choice).

What's interesting about that?
if (function-call == failed) goto error-handler;
seems like a common way to deal with "fatal" errors (and an I/O
error in an SMTP server means you have to abort the connection).
How do you deal with errors?

> The int overflow is possibly exploitable, not very sure about the

First you have to turn off the default limit.

> jumps. No idea why ISS says the Race Condition is, would love insight.

Ask ISS.

> Sendmail's announcement
> -----------------------
> Obscure. Not worth any other comments other than the ones above.

What's obscure about http://www.sendmail.org/8.13.6.html ?

> Not to mention the silently patched memory leak.

Please check your facts.

> It took Sendmail a mounth to fix this. A mounth.

No. It took sendmail a week to fix this.  The rest of the time was
used to coordinate the release with all the involved vendors etc.

Can you do me a favor? Next time you want to spread information
about a "memory leak" or something similar: contact the author(s)
first. See sendmail.org's website.

PS: I don't speak for anyone but me.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ