[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sendmail header buffer overflow vulnerability, and what ZMailer can do..



On Wed, Mar 05, 2003 at 02:57:26PM +0200, Matti Aarnio wrote:
> In default case the current ZMailer passes arrived message headers
> onwards as is, sometimes perhaps folding things, but usually not.
> Always, however, scanning header syntaxes (of course only those it
> knows about, and cares about:  from/to/cc/bcc +resent variants.)
> 
> The lattest sendmail header buffer overflow thing appears to demand
> syntactically invalid header, therefore adding   -W   option to
> your  zmailer.conf    ROUTEROPTIONS=   will enable the old code
> that rewrites headers with invalid syntax into:

In case the headers are syntactically correct (e.g. 8-bit stuff
in comment, or text item), all transport-agents do:

8-bit header: 'To:      <mea@zmailer.org> (הצוווההצהצ)'
After processing: 'To:  <mea@zmailer.org> =?ISO-8859-1?Q?(=E4=F6=E5=E5=E5=E4=E4=F6=E4=F6?=)'

which very effectively immunizes the thing.

This happens only in versions since around  1994-1996 or
there abouts...  (Not in Toronto 2.2 series.)

-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi