From: "Dmitry V. Levin" <ldv@altlinux.org>
To: ALT Linux general discussion list <community@altlinux.ru>
Subject: [Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern]
Date: Mon, 31 Mar 2003 01:56:10 +0400
Message-ID: <20030330215610.GD10321@basalt.office.altlinux.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]
Для тех, у кого в сети есть sendmail.
----- Forwarded message from Wietse Venema <wietse@porcupine.org> -----
Date: Sun, 30 Mar 2003 09:55:31 -0500 (EST)
From: wietse@porcupine.org (Wietse Venema)
To: Postfix announce <postfix-announce@postfix.org>
Cc: Postfix users <postfix-users@postfix.org>
Subject: Postfix CA-2003-12 Preliminary REJECT pattern
CERT advisory CA-2003-12 is about a Sendmail buffer overflow exploit
that can happen with message headers containing the 0xff byte value.
According to the documentation from Sendmail, some exploits can be
stopped by avoiding 0xff bytes in message headers. The solution
is partial because downstream Sendmail systems may use untrusted
information from the DNS while (re)writing headers, and someone
could insert 0xff characters that way.
One quick way to implement the partial solution is to specify a
header_checks REGEXP pattern that rejects message headers with 0xff
characters. Specifying numerical character codes in REGEXP patterns
turns out to be painful. Here is a somewhat clumsy method to
specify a 0xff matching REGEXP:
awk '
BEGIN {
printf "/%c/ REJECT Possible CA-2003-12 exploit\n",255
exit
}
' >/etc/postfix/block255
/etc/postfix/main.cf:
header_checks = /etc/postfix/block255 ...other_files...
Tested with FreeBSD 4, Redhat 8, Solaris 9, all running on Intel.
Raw binary data such as 0xff may cause trouble with text editors.
Therefore, the above example uses a separate file for blocking
the 0xff character instead of appending the pattern to an existing
header_checks file.
Please, do not reply to me and suggest REGEXP patterns using \0377
or \xff. They are outside the re_format(7) spec and will not work
for everyone.
The equivalent PCRE pattern may be easier to specify, but PCRE
support is not universally available with Postfix.
Since I am packing for yet another a trip, this is all I can do now.
Wietse
----- End forwarded message -----
--
ldv
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2003-03-30 21:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-30 21:56 Dmitry V. Levin [this message]
2003-03-31 4:01 ` ASA
2003-03-31 5:23 ` Ilya Palagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030330215610.GD10321@basalt.office.altlinux.org \
--to=ldv@altlinux.org \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git