CVE-2003-0161

Description

The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337.

Affected products

• compaq / tru645.1_pk6_bl20 – 5.1_pk6_bl20
• compaq / tru645.1a – 5.1a
• compaq / tru645.1a_pk1_bl1 – 5.1a_pk1_bl1
• compaq / tru645.1a_pk2_bl2 – 5.1a_pk2_bl2
• compaq / tru645.1a_pk3_bl3 – 5.1a_pk3_bl3
• compaq / tru645.1b – 5.1b
• compaq / tru645.1b_pk1_bl1 – 5.1b_pk1_bl1
• compaq / tru644.0b – 4.0b
• compaq / tru644.0d – 4.0d
• compaq / tru644.0d_pk9_bl17 – 4.0d_pk9_bl17
• compaq / tru644.0f – 4.0f
• compaq / tru644.0f_pk6_bl17 – 4.0f_pk6_bl17
• compaq / tru644.0f_pk7_bl18 – 4.0f_pk7_bl18
• compaq / tru644.0g – 4.0g
• compaq / tru644.0g_pk3_bl17 – 4.0g_pk3_bl17
• compaq / tru645.0 – 5.0
• compaq / tru645.0_pk4_bl17 – 5.0_pk4_bl17
• compaq / tru645.0_pk4_bl18 – 5.0_pk4_bl18
• compaq / tru645.0a – 5.0a
• compaq / tru645.0a_pk3_bl17 – 5.0a_pk3_bl17
• compaq / tru645.0f – 5.0f
• compaq / tru645.1 – 5.1
• compaq / tru645.1_pk3_bl17 – 5.1_pk3_bl17
• compaq / tru645.1_pk4_bl18 – 5.1_pk4_bl18
• compaq / tru645.1_pk5_bl19 – 5.1_pk5_bl19
• HP / hp-ux10.34 – 10.34
• HP / hp-ux10.26 – 10.26
• HP / hp-ux10.24 – 10.24
• HP / hp-ux10.20 – 10.20
• HP / hp-ux10.16 – 10.16
• HP / hp-ux10.10 – 10.10
• HP / hp-ux10.09 – 10.09
• HP / hp-ux10.00 – 10.00
• HP / hp-ux10.01 – 10.01
• HP / hp-ux10.08 – 10.08
• HP / hp-ux11.0.4 – 11.0.4
• HP / hp-ux11.00 – 11.00
• HP / hp-ux10.30 – 10.30
• HP / hp-ux11.22 – 11.22
• HP / hp-ux11.20 – 11.20
• HP / hp-ux11.11 – 11.11
• HP / hp-ux_series_70010.20 – 10.20
• HP / hp-ux_series_80010.20 – 10.20
• HP / sis
• sendmail / sendmail8.12.0 – 8.12.0
• sendmail / sendmail2.6.1 – 2.6.1
• sendmail / sendmail2.6.2 – 2.6.2
• sendmail / sendmail3.0 – 3.0
• sendmail / sendmail3.0.1 – 3.0.1
• sendmail / sendmail3.0.2 – 3.0.2
• sendmail / sendmail3.0.3 – 3.0.3
• sendmail / sendmail8.9.0 – 8.9.0
• sendmail / sendmail8.9.1 – 8.9.1
• sendmail / sendmail8.9.2 – 8.9.2
• sendmail / sendmail8.9.3 – 8.9.3
• sendmail / sendmail8.10 – 8.10
• sendmail / sendmail8.10.1 – 8.10.1
• sendmail / sendmail8.10.2 – 8.10.2
• sendmail / sendmail8.11.0 – 8.11.0
• sendmail / sendmail8.11.1 – 8.11.1
• sendmail / sendmail8.11.2 – 8.11.2
• sendmail / sendmail8.11.3 – 8.11.3
• sendmail / sendmail8.11.4 – 8.11.4
• sendmail / sendmail8.11.5 – 8.11.5
• sendmail / sendmail8.11.6 – 8.11.6
• sendmail / sendmail8.12 – 8.12
• sendmail / sendmail8.12 – 8.12
• sendmail / sendmail8.12 – 8.12
• sendmail / sendmail8.12 – 8.12
• sendmail / sendmail8.12 – 8.12
• sendmail / sendmail2.6 – 2.6
• sendmail / sendmail8.12.1 – 8.12.1
• sendmail / sendmail8.12.2 – 8.12.2
• sendmail / sendmail8.12.3 – 8.12.3
• sendmail / sendmail8.12.4 – 8.12.4
• sendmail / sendmail8.12.5 – 8.12.5
• sendmail / sendmail8.12.6 – 8.12.6
• sendmail / sendmail8.12.7 – 8.12.7
• sendmail / sendmail8.12.8 – 8.12.8
• sendmail / sendmail_switch3.0.3 – 3.0.3
• sendmail / sendmail_switch3.0.2 – 3.0.2
• sendmail / sendmail_switch3.0.1 – 3.0.1
• sendmail / sendmail_switch3.0 – 3.0
• sendmail / sendmail_switch2.2.5 – 2.2.5
• sendmail / sendmail_switch2.2.4 – 2.2.4
• sendmail / sendmail_switch2.2.3 – 2.2.3
• sendmail / sendmail_switch2.2.2 – 2.2.2
• sendmail / sendmail_switch2.2.1 – 2.2.1
• sendmail / sendmail_switch2.2 – 2.2
• sendmail / sendmail_switch2.1.5 – 2.1.5
• sendmail / sendmail_switch2.1.4 – 2.1.4
• sendmail / sendmail_switch2.1.3 – 2.1.3
• sendmail / sendmail_switch2.1.2 – 2.1.2
• sendmail / sendmail_switch2.1.1 – 2.1.1
• sendmail / sendmail_switch2.1 – 2.1
• sun / solaris2.4 – 2.4
• sun / solaris2.5 – 2.5
• sun / solaris2.5.1 – 2.5.1
• sun / solaris2.5.1 – 2.5.1
• sun / solaris2.6 – 2.6
• sun / solaris7.0 – 7.0
• sun / solaris8.0 – 8.0
• sun / solaris9.0 – 9.0
• sun / solaris9.0 – 9.0
• sun / solaris9.0 – 9.0
• sun / sunos
• sun / sunos5.4 – 5.4
• sun / sunos5.5 – 5.5
• sun / sunos5.5.1 – 5.5.1
• sun / sunos5.7 – 5.7
• sun / sunos5.8 – 5.8

References

• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-77-1001088.1-1
• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-26-52620-1
• VENDOR_ADVISORYftp://patches.sgi.com/support/free/security/advisories/20030401-01-P
• MISChttp://www.securityfocus.com/bid/7230
• MAILING_LISThttp://marc.info/?l=bugtraq&m=104914999806315&w=2
• MISChttp://www.redhat.com/support/errata/RHSA-2003-120.html
• MISChttp://www.securityfocus.com/archive/1/317135/30/25220/threaded
• VENDOR_ADVISORYhttp://www.debian.org/security/2003/dsa-278
• VENDOR_ADVISORYhttp://www.debian.org/security/2003/dsa-290
• MISChttp://www.securityfocus.com/archive/1/317135/30/25220/threaded
• MAILING_LISThttp://lists.apple.com/mhonarc/security-announce/msg00028.html
• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-26-52700-1
• VENDOR_ADVISORYhttp://www.cert.org/advisories/CA-2003-12.html
• MISCftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-016.0.txt
• MISChttp://www.securityfocus.com/archive/1/316961/30/25250/threaded
• MISChttp://www.redhat.com/support/errata/RHSA-2003-121.html
• MISChttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000614
• MISCftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.11/SCOSA-2004.11.txt
• MISChttp://www.gentoo.org/security/en/glsa/glsa-200303-27.xml
• MAILING_LISThttp://lists.grok.org.uk/pipermail/full-disclosure/2003-March/004295.html
• MAILING_LISThttp://marc.info/?l=bugtraq&m=104897487512238&w=2
• VENDOR_ADVISORYftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:07.sendmail.asc
• MISChttp://www.securityfocus.com/archive/1/321997
• MAILING_LISThttp://marc.info/?l=bugtraq&m=104896621106790&w=2
• MISChttp://www.kb.cert.org/vuls/id/897604