search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Sendmail contains buffer overflow in ruleset parsing

Vulnerability Note VU#108964

Original Release Date: 2003-09-18 | Last Revised: 2003-09-18

Overview

Sendmail contains a buffer overflow vulnerability in the code that parses rulesets. This vulnerability could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.This vulnerability does not affect the default configuration.

Description

Sendmail is a widely used mail transfer agent (MTA). There is a buffer overflow vulnerability in the code that parses rulesets. A system is vulnerable if it is configured to use the non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients.

This is a different vulnerability than the one described in CA-2003-25/VU#784980.

Impact

Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Solution

This issue is resolved in Sendmail 8.12.10.Beta2.

Download the commercial version from:

http://www.sendmail.com/

or the open-source version from:

http://www.sendmail.org/

Vendor Information

108964
Expand all

Sendmail

Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sendmail Inc.

Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Timo Sirainen for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: None
Severity Metric: 6.33
Date Public: 2003-07-01
Date First Published: 2003-09-18
Date Last Updated: 2003-09-18 20:34 UTC
Document Revision: 7

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.