Re: [Exim] exim as relay for latest sendmail bug?

Top Page
Delete this message
Reply to this message
Author: Florian Weimer
Date:  
To: Andreas Gietl
CC: Nico Erfurth, Marc Haber, exim-users, tom
Subject: Re: [Exim] exim as relay for latest sendmail bug?
Andreas Gietl <Listen@???> writes:

> The Bug affects the parsing of the From, To, CC and Bcc-Header which
> sendmail does semantic tests on.


According to the Bat Book, the header list is a bit more elaborate:

Resent-Sender
Resent-From
Resent-Reply-To
Sender
From
Apparently-From
Reply-To
Return-Receipt-To
Errors-To
To
Resent-To
Cc
Resent-Cc
Bcc
Resent-Bcc
Apparently-To

Ways to change these headers are documented, so this set varies from
one Sendmail to another. Go figure.

> The patch that fixes the sendmail-bug now detects these crafted
> headers and logs an error to the log. Perhaps it is possible to
> implement this routine into exiscan and then detect it as malicious
> content.


The code is very hard to understand. And unless the researches
explain what's actually happening, you can't be sure that you caught
all the corner cases. For a first line of defense, dissect the
questionable header line into address components and detect addresses
that are longer than 200 characters (or so). I doubt you can do this
with regular expressions, even with Perl one's which are a bit more
powerful.

Better fix your Sendmail installations. 8-)