From: "Dmitry V. Levin" <ldv@altlinux.org> To: ALT Linux general discussion list <community@altlinux.ru> Subject: [Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern] Date: Mon, 31 Mar 2003 01:56:10 +0400 Message-ID: <20030330215610.GD10321@basalt.office.altlinux.org> (raw) [-- Attachment #1: Type: text/plain, Size: 1953 bytes --] Для тех, у кого в сети есть sendmail. ----- Forwarded message from Wietse Venema <wietse@porcupine.org> ----- Date: Sun, 30 Mar 2003 09:55:31 -0500 (EST) From: wietse@porcupine.org (Wietse Venema) To: Postfix announce <postfix-announce@postfix.org> Cc: Postfix users <postfix-users@postfix.org> Subject: Postfix CA-2003-12 Preliminary REJECT pattern CERT advisory CA-2003-12 is about a Sendmail buffer overflow exploit that can happen with message headers containing the 0xff byte value. According to the documentation from Sendmail, some exploits can be stopped by avoiding 0xff bytes in message headers. The solution is partial because downstream Sendmail systems may use untrusted information from the DNS while (re)writing headers, and someone could insert 0xff characters that way. One quick way to implement the partial solution is to specify a header_checks REGEXP pattern that rejects message headers with 0xff characters. Specifying numerical character codes in REGEXP patterns turns out to be painful. Here is a somewhat clumsy method to specify a 0xff matching REGEXP: awk ' BEGIN { printf "/%c/ REJECT Possible CA-2003-12 exploit\n",255 exit } ' >/etc/postfix/block255 /etc/postfix/main.cf: header_checks = /etc/postfix/block255 ...other_files... Tested with FreeBSD 4, Redhat 8, Solaris 9, all running on Intel. Raw binary data such as 0xff may cause trouble with text editors. Therefore, the above example uses a separate file for blocking the 0xff character instead of appending the pattern to an existing header_checks file. Please, do not reply to me and suggest REGEXP patterns using \0377 or \xff. They are outside the re_format(7) spec and will not work for everyone. The equivalent PCRE pattern may be easier to specify, but PCRE support is not universally available with Postfix. Since I am packing for yet another a trip, this is all I can do now. Wietse ----- End forwarded message ----- -- ldv [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2003-03-30 21:56 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2003-03-30 21:56 Dmitry V. Levin [this message] 2003-03-31 4:01 ` ASA 2003-03-31 5:23 ` Ilya Palagin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20030330215610.GD10321@basalt.office.altlinux.org \ --to=ldv@altlinux.org \ --cc=community@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git