Sendmail, Inc.
     _________________________________________________________________
   
                 Sendmail 8.9.1a patch  MIME Buffer Overflows
                                       
Introduction

     Several e-mail clients have recently been shown to have buffer
     overflows that may allow attackers to execute arbitrary commands on
     users' machines. Sendmail, Inc. has produced a patch for sendmail
     8.9.1 that will proactively defend against such attacks. It is
     important to note that sendmail itself is not vulnerable to these
     attacks. By truncating long MIME headers before they arrive in end
     users' mailboxes, such attacks can be deflected before they can do
     damage.
     
Getting and Installing the Patch

     Before you can use this patch, you must be running sendmail 8.9.1,
     available from
     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1.tar.gz.
     Instructions for installation are included with that file. You
     should download and unpack that distribution, but not compile it
     until installing the patch, as described below.
     
     The patch is available from
     http://www.sendmail.com/sendmail.8.9.1a.patch or from
     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1a.patch. Load the
     patch into the src subdirectory of the sendmail 8.9.1 source
     directory. Install the patch using the commands:
     
cd sendmail-8.9.1/src
patch < sendmail.8.9.1a.patch

     This will update the sendmail 8.9.1 code base to version 8.9.1a.
     
     Note: It appears some older versions of the patch program have
     problems applying this patch. If you get an error from your patch
     program, get the latest version of patch from the Free Software
     Foundation at ftp://ftp.gnu.org/pub/gnu/patch-2.5.tar.gz.
     
Compiling Sendmail 8.9.1a

     Create a new site.config.m4 file in the BuildTools/Site directory
     or append to an existing site.config.m4 file with the following
     line:
     
APPENDDEF(`confENVDEF', `-D_FFR_MAX_MIME_HEADER_LENGTH=1')

     The -D flag is necessary to tell sendmail to compile in the new
     changes.
     
     Compile sendmail using the following command from inside the src
     subtree:
     
./Build -c

     The -c flag is necessary to tell sendmail to recompile the binary
     from scratch using the new site.config.m4 file.
     
     If you do not include this flag in the compilation, you will not
     get the new feature. 
     
Updating the Sendmail Configuration

     To enable this option in the newly created binary, create an m4
     configuration (.mc) file as you usually would and add the following
     lines:
     
LOCAL_CONFIG
O MaxMimeHeaderLength=256/128

     After modifying your .mc file, be sure to regenerate your
     sendmail.cf using:
     
cd sendmail-8.9.1/cf/cf
m4 ../m4/cf.m4 myfile.mc > myfile.cf

     If you do not use m4 to generate your sendmail.cf file, simply add
     the the O MaxMimeHeaderLength=256/128 to your existing sendmail.cf.
     
     This option causes MIME headers to be truncated to a total of 256
     characters; no individual field is permitted to exceed 128
     characters. These values should be safe for the common mail clients
     that are vulnerable.
     
Reinstalling and Restarting Sendmail

     After rebuilding your sendmail binary and sendmail configuration
     file, be sure to reinstall them. Typically, this is done using the
     following command in the src directory:
     
./Build install

     You must also manually install the newly created sendmail.cf by
     copying the file to /etc/sendmail.cf.
     
     After installing the updated files, be sure to restart the running
     sendmail daemon. This can be accomplished by sending the HUP signal
     to the sendmail daemon PID. For example, if your sendmail.pid file
     is saved in /var/run, you would use the command:
     
kill -HUP `head -1 /var/run/sendmail.pid`

Tradeoffs

     As this patch requires scanning the body of the message for MIME
     indicators, there will be a performance penalty to run this code.
     However, only one sendmail server need run this code in the path of
     the mail. For example, if all of your mail from the Internet comes
     through one firewall, only that firewall needs to run the patched
     code.
     
     If you have installed patches for your mail clients from the
     vendors (i.e., if you have fixed the vulnerability at the client
     level), it is not necessary to install this patch.
     
Disclaimers

     Sendmail, Inc. does not commit to supporting this patch in its
     current form in future releases. This is not a replacement for
     fixing the vulnerable mail clients. However, installing this patch
     will give you the time needed to update your clients.
     
Other Information

     For other information about this vulnerability, consult the
     following documents:
     * ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow 
     * http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml 
     * http://www.cert.org/advisories/CA-98.10.mime_buffer_overflows.html
     * http://www.ciac.org/ciac/MIMEfaq.html 
     * http://www.netscape.com/products/security/resources/bugs/longfile.html 
     * http://www.microsoft.com/ie/security/oelong.htm