Vulnerability: remote root exploit
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= sendmail-8.12.9-20030801 >= sendmail-8.12.10-20030917
OpenPKG 1.3 <= sendmail-8.12.9-1.3.0 >= sendmail-8.12.9-1.3.1
OpenPKG 1.2 <= sendmail-8.12.7-1.2.3 >= sendmail-8.12.7-1.2.4
Dependent Packages: none
According to a confirmed security advisory from Michal Zalewski
, a remotely exploitable vulnerability exists in all versions
prior to 8.12.10 of the Sendmail  MTA. An error in its prescan()
function could allow an attacker to write past the end of a buffer,
corrupting memory structures. Depending on platform and operating
system architecture, the attacker may be able to execute arbitrary
code with a specially crafted email message.
The email attack vector is message-oriented as opposed to
connection-oriented. This means that the vulnerability is triggered
by the contents of a specially crafted email message rather than by
lower-level network traffic. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CAN-2003-0694  to the problem.
Additionally, we have included a fix for a potential buffer overflow
in Sendmail's ruleset parsing. This problem is not exploitable in the
default Sendmail configuration; it is exploitable only if non-standard
rulesets recipient (2), final (4), or mailer-specific envelope
recipients rulesets are used. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CAN-2003-0681  to this problem.
Please check whether you are affected by running "<prefix>/bin/rpm
-q sendmail". If you have the "sendmail" package installed and its
version is affected (see above), we recommend that you immediately
upgrade it (see Solution) 
Select the updated source RPM appropriate for your OpenPKG release
, fetch it from the OpenPKG FTP service  or a mirror
location, verify its integrity , build a corresponding binary
RPM from it  and update your OpenPKG installation by applying the
binary RPM . For the current release OpenPKG 1.3, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> cd release/1.3/UPD
ftp> get sendmail-8.12.9-1.3.1.src.rpm
$ <prefix>/bin/rpm -v --checksig sendmail-8.12.9-1.3.1.src.rpm
$ <prefix>/bin/rpm --rebuild sendmail-8.12.9-1.3.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/sendmail-8.12.9-1.3.1.*.rpm
Have a look at it and gain as mutch info as you can.
We need to find out what's EXACTLY wrong, so where the overflow is located and with what paramaters we can overflow it. I'm gonna have a look at it.