[Esd-l] FYI critical sendmail vulnerability
John D. Hardin
jhardin at impsec.org
Tue Mar 4 06:37:11 PST 2003
On Tue, 4 Mar 2003, daniel lance herrick wrote:
> The cert advisory says the patch reports
>
> "Dropped invalid comments from header address"
>
> Doesn't that make this the misuse of rfc822
> comments that was discussed in this list a couple
> weeks ago?
The sanitizer drops RFC822 comments from within MIME attachment
filenames. It doesn't try to sanitize the RFC822 headers in the
sendmail vulnerability ( From:, To: and Cc: ).
I suppose it would be fairly easy to length-limit RFC-822 comments in
all headers, and I'll take a look at doing that, but then again as
Brent has pointed out it's pretty difficult to protect the MTA using
procmail... :)
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...voice or no voice, the people can always be brought to the bidding
of the leaders. That is easy. All you have to do is tell them they
are being attacked and denounce the pacifists for lack of patriotism
and exposing the country to danger. It works the same way in any
country.
-- Hermann Goering
-----------------------------------------------------------------------
79 days until The Matrix Reloaded
More information about the esd-l
mailing list