Sendmail, Inc. _________________________________________________________________ Sendmail 8.9.1a patch MIME Buffer Overflows Introduction Several e-mail clients have recently been shown to have buffer overflows that may allow attackers to execute arbitrary commands on users' machines. Sendmail, Inc. has produced a patch for sendmail 8.9.1 that will proactively defend against such attacks. It is important to note that sendmail itself is not vulnerable to these attacks. By truncating long MIME headers before they arrive in end users' mailboxes, such attacks can be deflected before they can do damage. Getting and Installing the Patch Before you can use this patch, you must be running sendmail 8.9.1, available from ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1.tar.gz. Instructions for installation are included with that file. You should download and unpack that distribution, but not compile it until installing the patch, as described below. The patch is available from http://www.sendmail.com/sendmail.8.9.1a.patch or from ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1a.patch. Load the patch into the src subdirectory of the sendmail 8.9.1 source directory. Install the patch using the commands: cd sendmail-8.9.1/src patch < sendmail.8.9.1a.patch This will update the sendmail 8.9.1 code base to version 8.9.1a. Note: It appears some older versions of the patch program have problems applying this patch. If you get an error from your patch program, get the latest version of patch from the Free Software Foundation at ftp://ftp.gnu.org/pub/gnu/patch-2.5.tar.gz. Compiling Sendmail 8.9.1a Create a new site.config.m4 file in the BuildTools/Site directory or append to an existing site.config.m4 file with the following line: APPENDDEF(`confENVDEF', `-D_FFR_MAX_MIME_HEADER_LENGTH=1') The -D flag is necessary to tell sendmail to compile in the new changes. Compile sendmail using the following command from inside the src subtree: ./Build -c The -c flag is necessary to tell sendmail to recompile the binary from scratch using the new site.config.m4 file. If you do not include this flag in the compilation, you will not get the new feature. Updating the Sendmail Configuration To enable this option in the newly created binary, create an m4 configuration (.mc) file as you usually would and add the following lines: LOCAL_CONFIG O MaxMimeHeaderLength=256/128 After modifying your .mc file, be sure to regenerate your sendmail.cf using: cd sendmail-8.9.1/cf/cf m4 ../m4/cf.m4 myfile.mc > myfile.cf If you do not use m4 to generate your sendmail.cf file, simply add the the O MaxMimeHeaderLength=256/128 to your existing sendmail.cf. This option causes MIME headers to be truncated to a total of 256 characters; no individual field is permitted to exceed 128 characters. These values should be safe for the common mail clients that are vulnerable. Reinstalling and Restarting Sendmail After rebuilding your sendmail binary and sendmail configuration file, be sure to reinstall them. Typically, this is done using the following command in the src directory: ./Build install You must also manually install the newly created sendmail.cf by copying the file to /etc/sendmail.cf. After installing the updated files, be sure to restart the running sendmail daemon. This can be accomplished by sending the HUP signal to the sendmail daemon PID. For example, if your sendmail.pid file is saved in /var/run, you would use the command: kill -HUP `head -1 /var/run/sendmail.pid` Tradeoffs As this patch requires scanning the body of the message for MIME indicators, there will be a performance penalty to run this code. However, only one sendmail server need run this code in the path of the mail. For example, if all of your mail from the Internet comes through one firewall, only that firewall needs to run the patched code. If you have installed patches for your mail clients from the vendors (i.e., if you have fixed the vulnerability at the client level), it is not necessary to install this patch. Disclaimers Sendmail, Inc. does not commit to supporting this patch in its current form in future releases. This is not a replacement for fixing the vulnerable mail clients. However, installing this patch will give you the time needed to update your clients. Other Information For other information about this vulnerability, consult the following documents: * ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow * http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml * http://www.cert.org/advisories/CA-98.10.mime_buffer_overflows.html * http://www.ciac.org/ciac/MIMEfaq.html * http://www.netscape.com/products/security/resources/bugs/longfile.html * http://www.microsoft.com/ie/security/oelong.htm