[Comm] [wietse на porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern]
Dmitry V. Levin
=?iso-8859-1?q?ldv_=CE=C1_altlinux=2Eorg?=
Пн Мар 31 01:56:10 MSD 2003
Для тех, у кого в сети есть sendmail.
----- Forwarded message from Wietse Venema <wietse на porcupine.org> -----
Date: Sun, 30 Mar 2003 09:55:31 -0500 (EST)
From: wietse на porcupine.org (Wietse Venema)
To: Postfix announce <postfix-announce на postfix.org>
Cc: Postfix users <postfix-users на postfix.org>
Subject: Postfix CA-2003-12 Preliminary REJECT pattern
CERT advisory CA-2003-12 is about a Sendmail buffer overflow exploit
that can happen with message headers containing the 0xff byte value.
According to the documentation from Sendmail, some exploits can be
stopped by avoiding 0xff bytes in message headers. The solution
is partial because downstream Sendmail systems may use untrusted
information from the DNS while (re)writing headers, and someone
could insert 0xff characters that way.
One quick way to implement the partial solution is to specify a
header_checks REGEXP pattern that rejects message headers with 0xff
characters. Specifying numerical character codes in REGEXP patterns
turns out to be painful. Here is a somewhat clumsy method to
specify a 0xff matching REGEXP:
awk '
BEGIN {
printf "/%c/ REJECT Possible CA-2003-12 exploit\n",255
exit
}
' >/etc/postfix/block255
/etc/postfix/main.cf:
header_checks = /etc/postfix/block255 ...other_files...
Tested with FreeBSD 4, Redhat 8, Solaris 9, all running on Intel.
Raw binary data such as 0xff may cause trouble with text editors.
Therefore, the above example uses a separate file for blocking
the 0xff character instead of appending the pattern to an existing
header_checks file.
Please, do not reply to me and suggest REGEXP patterns using \0377
or \xff. They are outside the re_format(7) spec and will not work
for everyone.
The equivalent PCRE pattern may be easier to specify, but PCRE
support is not universally available with Postfix.
Since I am packing for yet another a trip, this is all I can do now.
Wietse
----- End forwarded message -----
--
ldv
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип : application/pgp-signature
Размер : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url : <http://lists.altlinux.org/pipermail/community/attachments/20030331/0525f85f/attachment-0005.bin>
Подробная информация о списке рассылки community