Home ·  Knowledge Base ·  News ·  Contact  





 Knowledge Base

 Categories



Web Servers



Mail Servers



FTP Servers



Firewall / Security



Intrusion Detection



FreeBSD General



Solaris General



Linux General



Miscellaneous



Samba



MRTG



SQL



 Search

 


 Mail Servers

Go Back

Fixing sendmail vulnerability on Solaris (weirdness with patch and PATH)  


As you probably already know (if anyone is even reading this) a new sendmail vulnerability came out yesterday. This one seems to affect nearly every version of sendmail, or, at least, every version that I'm running. From what I've read, it appears to be possible (but perhaps difficult) to get root (at least, that's what sendmail is usually running as) remotely. I'd heard enough to get me moving.

Before I get into the fix and the problems I ran into (mostly because I'm not a Solaris native), I want to show how easy (or difficult) it was to upgrade all the boxen that I'm responsible for.

1) Gentoo boxes

emerge sync
#syncronizes my portage tree with the rsync servers

emerge -up system
#pretend to upgrade all out of date packages
#I do this to check to make sure emerge isn't going to do
#anything weird

emerge -u system
#actually do the emerge

etc-update
#this is only neccessary if configuration files have changed
#as the result of a new version of software

2) RedHat boxes

up2date -p
#update my package list with RedHat (in case I have
#installed any rpms by hand since my last up2date)

up2date -u
#update all out-of-date packages

3) FreeBSD boxes

cvsup /etc/supfile
#update my src tree, ports tree and anything else I want
#by connecting to one of the freebsd cvsup servers

make buildworld
#build my system binaries and such from source

make installworld
#if there aren't any problems... install em
(note: normally I only need to do a portupgrade on FreeBSD, but sendmail is a part of the OS)

4) Solaris boxes

*cry*
do it all by hand

That said, here's what I ran into with Solaris.

First, I went to Sendmail's website and then clicked on the link for the patch instructions. What I didn't notice on this page was the footnote, "Note: make sure your patch program understands these diffs. Some versions (e.g., Solaris, maybe AIX (4.3.3ml10)) can not deal with them. In that case install GNU patch (on Solaris: try gpatch)." Crud.

So, I went off on my merry way trying to patch sendmail with Solaris's crappy patch program. I got this:

patch -p0 < sendmail.8.11.6.security.cr.patch
Looks like a unified context diff.
File to patch:

Ok. It didn't understand my patchfile. I think this was because the sendmail patch actually is patching several different source files. I didn't realize this at first so I just did a 'head' on the patch to see what it wanted to patch. I mistakenly thought it was just the sendmail/headers.c file. So, I entered that in and it barfed thusly:

File to patch: sendmail/headers.c
The next patch looks like a unified context diff.
Hunk #1 failed at line 3535.
1 out of 1 hunks failed: saving rejects to sendmail/headers.c.rej
The next patch looks like a unified context diff.
Hunk #1 failed at line 2297.
1 out of 1 hunks failed: saving rejects to sendmail/headers.c.rej
The next patch looks like a unified context diff.
Hunk #1 failed at line 333.
1 out of 1 hunks failed: saving rejects to sendmail/headers.c.rej
done

Now I realized what had happened. So, I went about getting the Gnu patch program from my handy SunFreeware mirror. I compiled and installed this and then to test it I did a 'patch -v'. Instead of it happily telling me what version it was, I got this:

#patch -v
patch: Invalid options.
patch: Usage: patch [-blNR] [-c|-e|-n] [-d dir] [-D define] [-i patchfile]\
[-o outfile] [-p num] [-r rejectfile] [file]

Allright, I thought, the old Solaris patch must be in my path before my Gnu patch. So, I did a 'which patch' and got this:

#which patch
/usr/local/bin/patch

That's weird, but I attribute it to the Solaris version of which (if you have ideas, please clue me in). I was tired of dickin' around at this point, though, so I just did a

#/usr/local/bin/patch -p0 < sendmail.8.11.6.security.cr.patch

and all was well. After I had patched the sendmail source, I could just do a

cd sendmail #from the sendmail-8.x.x directory
sh Build
sh Build install
/etc/init.d/sendmail stop
pgrep sendmail #to make sure all sendmail processes died
/etc/init.d/sendmail start

Now the crying could stop.


 





How's your network?, Inc. © 2001-2018