From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 31 Mar 2003 01:56:10 +0400 From: "Dmitry V. Levin" To: ALT Linux general discussion list Message-ID: <20030330215610.GD10321@basalt.office.altlinux.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vni90+aGYgRvsTuO" Content-Disposition: inline X-fingerprint: 9658 398D 181B 1200 8FC5 26B8 F6F8 846B C1E2 3429 Subject: [Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern] Sender: community-admin@altlinux.ru Errors-To: community-admin@altlinux.ru X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.0.9 Precedence: bulk Reply-To: community@altlinux.ru List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: Archived-At: List-Archive: List-Post: --vni90+aGYgRvsTuO Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit Для тех, у кого в сети есть sendmail. ----- Forwarded message from Wietse Venema ----- Date: Sun, 30 Mar 2003 09:55:31 -0500 (EST) From: wietse@porcupine.org (Wietse Venema) To: Postfix announce Cc: Postfix users Subject: Postfix CA-2003-12 Preliminary REJECT pattern CERT advisory CA-2003-12 is about a Sendmail buffer overflow exploit that can happen with message headers containing the 0xff byte value. According to the documentation from Sendmail, some exploits can be stopped by avoiding 0xff bytes in message headers. The solution is partial because downstream Sendmail systems may use untrusted information from the DNS while (re)writing headers, and someone could insert 0xff characters that way. One quick way to implement the partial solution is to specify a header_checks REGEXP pattern that rejects message headers with 0xff characters. Specifying numerical character codes in REGEXP patterns turns out to be painful. Here is a somewhat clumsy method to specify a 0xff matching REGEXP: awk ' BEGIN { printf "/%c/ REJECT Possible CA-2003-12 exploit\n",255 exit } ' >/etc/postfix/block255 /etc/postfix/main.cf: header_checks = /etc/postfix/block255 ...other_files... Tested with FreeBSD 4, Redhat 8, Solaris 9, all running on Intel. Raw binary data such as 0xff may cause trouble with text editors. Therefore, the above example uses a separate file for blocking the 0xff character instead of appending the pattern to an existing header_checks file. Please, do not reply to me and suggest REGEXP patterns using \0377 or \xff. They are outside the re_format(7) spec and will not work for everyone. The equivalent PCRE pattern may be easier to specify, but PCRE support is not universally available with Postfix. Since I am packing for yet another a trip, this is all I can do now. Wietse ----- End forwarded message ----- -- ldv --vni90+aGYgRvsTuO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+h2f69viEa8HiNCkRAj6/AJ9Doq6gMMyp4+u8ldp/RdwKHM59IwCfT8kg ytrLNwj+/hoyA90wlI6I900= =zfok -----END PGP SIGNATURE----- --vni90+aGYgRvsTuO--