Recipe 10.4 Patching to Close Security Holes

Problem

You need to apply patches to close known sendmail security holes.

Solution

Subscribe to the sendmail-announce mailing list to receive notification of important security patches by sending mail to majordomo@lists.sendmail.org that contains the following line:

 subscribe sendmail-announce 

Download the patch from ftp.sendmail.org or from www.sendmail.org . Use the patch command to apply a security patch to the sendmail source code.

Recompile and reinstall sendmail, as described in Recipe 1.2, using the patched source code.

Restart sendmail. For example:

 #  kill -HUP `head -1 /var/run/sendmail.pid`  

Discussion

Fixing a problem with a source code patch is very similar to installing a completely new sendmail source code distribution. In both cases:

  • You download source code from sendmail.org . In one case, it is a large tar file, and in the other, it is a small patch file, but in both cases the download is essentially the same.

  • You download a signature file to verify the source code.

  • You use gpg or pgp to verify the downloaded source file.

  • You recompile, reinstall, and restart sendmail.

The biggest differences between the two approaches to closing a security hole are:

  • In one case, you use tar to create a completely new source tree.

  • In the other case, you use patch to change files in an existing source tree.

The approach you use depends on your personal preferences and the nature of the sendmail currently installed on your system. If you use a version of sendmail provided by a vendor that has some special features, patching may be a way to fix a security problem while retaining those features. Of course there is no guarantee. If the vendor has extensively modified the sendmail source, the patch may not work.

If you really are dependent on a vendor supplied version of sendmail, the best approach is to go directly to the vendor for the security fix. For example, for a Red Hat Linux system, you can obtain critical security fixes directly from the Red Hat web site. Figure 10-1 shows a web page at redhat.com that points to the RPM files containing a sendmail security fix.

Figure 10-1. sendmail fixes available from Red Hat
figs/smcb_1001.gif

This chapter, like the rest of this book, uses the sendmail source code distribution instead of a vendor's copy of sendmail. In particular, sendmail 8.12.9 is used throughout this book because it was the latest version of sendmail available when the bulk of this book was written. The following example shows sendmail 8.12.9 being patched to fix a critical security problem.

Fixes for the sendmail source code distribution can be obtained directly from sendmail.org . This example begins by downloading the patch from the pub/sendmail directory on ftp.sendmail.org . The source code patch file is parse8.359.2.8 and the signature file for the patch file is parse8.359.2.8 .sig :

 #  ftp ftp.sendmail.org  Connected to ftp.sendmail.org (209.246.26.22). 220 services.sendmail.org FTP server (Version 6.00LS) ready. Name (ftp.sendmail.org:WIN):  anonymous  331 Guest login ok, send your email address as password. Password:  win@wrotethebook.com  230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp>  cd pub/sendmail  250 CWD command successful. ftp>  get parse8.359.2.8  local: parse8.359.2.8 remote: parse8.359.2.8 227 Entering Passive Mode (209,246,26,22,196,166) 150 Opening BINARY mode data connection for 'parse8.359.2.8' (346 bytes). 226 Transfer complete. 346 bytes received in 0.000351 secs (9.6e+02 Kbytes/sec) ftp>  get parse8.359.2.8.sig  local: parse8.359.2.8.sig remote: parse8.359.2.8.sig 227 Entering Passive Mode (209,246,26,22,196,171) 150 Opening BINARY mode data connection for 'parse8.359.2.8.sig' (152 bytes). 226 Transfer complete. 152 bytes received in 0.000672 secs (2.2e+02 Kbytes/sec) ftp>  quit  221 Goodbye. 

Verify the patch using the signature file downloaded from sendmail.org :

 #  gpg --verify parse8.359.2.8.sig parse8.359.2.8  gpg: Signature made Thu 18 Sep 2003 10:17:20 AM EDT using RSA key ID 396F0789 gpg: Good signature from "Sendmail Signing Key/2003 <sendmail@Sendmail.ORG>" gpg: checking the trustdb gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/ 

To verify the signature, you must have previously downloaded the PGP keys from sendmail.org and added those keys to your key ring. Downloading the PGP keys and adding them to the key ring is shown in Recipe 1.1.

Apply the source code patch: [2]

[2] The pathnames used here are just examples. You should use the paths that are correct for your system.

 #  cd /usr/local/src/sendmail-8.12.9/sendmail  #  patch < /usr/local/src/patches/parse8.359.2.8  patching file parseaddr.c 

After the source code is patched, it must be recompiled and reinstalled, as described in Recipe 1.2. Then the sendmail daemon must be restarted to ensure that it is using the patched software.

Installing a completely new sendmail distribution is an alternative to patching the old one. The same fix installed by patching sendmail 8.12.9 could have been made by installing sendmail 8.12.10.

See Also

Recipe 10.3 provides an alternative way to fix a security hole.



Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net