Only sendmail 8.12.8 (and previous) are affected. 8.12.9 has this bug fixed. If you are using dns maps in your sendmail.cf and have decent smtp traffic you can see "random" sendmail crashes. (problem was noticed on our primary mail relay which has about 300000 delivery attempts per day). If you search your maillog for crashed sendmail pid you can see (often, but not always) error like this: sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468 Here is explanation why this can happen: In dns_parse_reply() sendmail builds chain of RESOURCE_RECORD_T structures (dynamically allocating memory for them). Due to wrong initialization of those structures, if sendmail gets bad dns reply (with actual reply size != announced reply size), it calls dns_free_data (sm_resolve.c:227) having rr_next field of last chain structure filled with garbage. In dns_free_data() sendmail trying to free allocated chain of structures: it's going through chain using rr_next pointer and stops when rr_next == NULL. Garbage in rr_next field cause sendmail to call free() on random addresses. This usually cause sendmail to crash. Theoretically (i'm not sure) this bug can lead to remote code execution. Fix: Use sm_resolve.c coming with sendmail 8.12.9 or use this patch: How-To-Repeat: Dont know easy ways to reproduce problem. (we need source of broken dns replies i guess).
Responsible Changed From-To: freebsd-bugs->gshapiro Assign to sendmail maintainer
State Changed From-To: open->closed A security advisory has been released and the problem has been patched in the various security branches.
-- Cristina Cunha Datapalce- Business Soluction www.datapalce.com.br