Date: Mon, 5 Aug 2002 15:17:17 -0300
From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br
Subject: [CLA-2002:514] Conectiva Linux Security Announcement - sendmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : sendmail
SUMMARY : Local Denial of Service
DATE : 2002-08-05 14:57
ID : CLA-:-1
RELEVANT
RELEASES : 6.0, 7.0, 8
- -------------------------------------------------------------------------
DESCRIPTION
Sendmail is a widely used Mail Transfer Agent (MTA).
As publicized[1] by lumpy and reported in the
sendmail website, a local user can stop the mail service (in the
sense of "freezing" some operations) by holding an exclusive reading
lock on some specific sendmail files (using a system call like
flock()). In order to do that, the user must have permission to read
the file. One example of such a file is /var/log/sendmail.st, which
is world readable by default.
By exploiting this vulnerability, a malicious local user can delay
(for an undetermined amount of time) the e-mail delivery, thus
characterizing a Denial of Service (DoS) attack.
SOLUTION
The current solution is to allow only root and users belonging to the
mail group to read the files which are written by sendmail and its
utilities (like newaliases).
In order to do so, just run the following commands (as root user):
chmod 0640 /etc/mail/*.db
chmod 0640 /var/log/sendmail.st
The given change does not affect the sendmail functionality and is
the recommended procedure for all users.
It is possible to obtain a list of users and programs which are
acessing some file (and possibly locking it) with the lsof command,
as seen in the example below:
lsof /var/log/sendmail.st
REFERENCES:
1.http://www.sendmail.org/LockingAdvisory.txt
2.http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=6350
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9Tr5F42jd0JmAcZARAsuqAJ9pcuoM592BRwGkBDEizLsbXcdAxgCgwz1V
8XwS24aCWX8LVMdWYANMNLA=
=GYjp
-----END PGP SIGNATURE-----
