Slackware: sendmail Buffer overflow vulnerability
Posted by LinuxSecurity.com Team   
Slackware The sendmail packages in Slackware 8.0, 8.1, and 9.0 have been patchedto fix a security problem. Note that this vulnerablity is NOT the sameone that was announced on March 3rd and requires a new fix.

[slackware-security]  Sendmail buffer overflow fixed (NEW)

The sendmail packages in Slackware 8.0, 8.1, and 9.0 have been patched
to fix a security problem.  Note that this vulnerablity is NOT the same
one that was announced on March 3rd and requires a new fix.

All sites running sendmail should upgrade.

More information on the problem can be found here:
 
http://www.sendmail.org/8.12.9.html

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Sat Mar 29 13:46:36 PST 2003
patches/packages/sendmail-8.12.9-i386-1.tgz:  Upgraded to sendmail-8.12.9.
  From sendmail's RELEASE_NOTES:
    8.12.9/8.12.9   2003/03/29
    SECURITY: Fix a buffer overflow in address parsing due to
              a char to int conversion problem which is potentially
              remotely exploitable.  Problem found by Michal Zalewski.
              Note: an MTA that is not patched might be vulnerable to
              data that it receives from untrusted sources, which
              includes DNS.
  (* Security fix *)
patches/packages/sendmail-cf-8.12.9-noarch-1.tgz:  Updated config files for
  sendmail-8.12.9.
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated packages for Slackware 8.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/sendmail.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/smailcfg.tgz

Updated packages for Slackware 8.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sendmail-8.12.9-i386-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sendmail-cf-8.12.9-noarch-1.tgz

Updated packages for Slackware 9.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sendmail-8.12.9-i386-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sendmail-cf-8.12.9-noarch-1.tgz



MD5 SIGNATURES:
+-------------+

Here are the md5sums for the packages:

Slackware 8.0 packages:
c29c3063313534bee8db13c5afcd1abc  sendmail.tgz
1b3be9b45f0d078e1053b80069538ca7  smailcfg.tgz

Slackware 8.1 packages:
b1b538ae7685ce8a09514b51f8802614  sendmail-8.12.9-i386-1.tgz
628b61a20f4529b514060620e5e601e7  sendmail-cf-8.12.9-noarch-1.tgz

Slackware 9.0 packages:
5f4f92f933961b6e652d294cd76da426  sendmail-8.12.9-i386-1.tgz
45b217e09d5ff2d0e1b7b12a389c86ec  sendmail-cf-8.12.9-noarch-1.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+

First (as root), stop sendmail:

. /etc/rc.d/rc.sendmail stop

Next, upgrade the sendmail package(s) with upgradepkg:

upgradepkg sendmail-*.tgz

Finally, restart sendmail:

. /etc/rc.d/rc.sendmail start



+-----+

Slackware Linux Security Team 
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+