Date: Fri, 21 Apr 2000 09:02:22 -0700 (PDT) From: Gregory Neil Shapiro <sendmail+gshapiro@sendmail.org> To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Cc: sendmail-bugs@sendmail.org, ports@FreeBSD.org, aleph1@securityfocus.com Subject: Re: P.S. to sorry Message-ID: <14592.31630.387912.707624@horsey.gshapiro.net> In-Reply-To: <11829.000421@SECURITY.NNOV.RU> References: <11829.000421@SECURITY.NNOV.RU>
next in thread | previous in thread | raw e-mail | index | archive | help
3APA3A> It doesn't mean that there is no fgets() problem in mail.loca= l - 3APA3A> there is fgets() then checking incoming mail for ".\n" in LMTP mo= de. 3APA3A> Text "(2047 chars).\n" will be treated as an end of the message = and 3APA3A> the rest of the text will be treated as LMTP commands. This all= ows 3APA3A> for attacker to insert any LMTP commands inside e-mail message. = (as 3APA3A> I remember sendmail can use LMTP, I don't remember if it is defa= ult 3APA3A> behavior or not). It can be very unpleasant. I just need to rewr= ite 3APA3A> report :) =46rom the sendmail 8.10.0 RELEASE_NOTES: MAIL.LOCAL: When a mail message includes lines longer than 2046 characters (in LMTP mode), mail.local will split the incoming line up into 2046-character output lines (excluding the newline). If an input line is 2047 characters long (excluding CR-LF) and the last character is a '.', mail.local will see it as the end of input, transfer it to the user mailbox and try to write an `ok' back to sendmail. If the message was much longer, both sendmail and mail.local will deadlock waiting for each other to read what they have written. Problem noted by Peter Jeremy of Alcatel Australia Limited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14592.31630.387912.707624>