-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

             ESB-2002.548 -- NetBSD Security Advisory 2002-023
                    sendmail smrsh bypass vulnerability
                              08 October 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                smrsh (sendmail restricted shell)
Vendor:                 NetBSD
Operating System:       NetBSD 1.6
                        NetBSD 1.5.3, 1.5.2, 1.5.1, 1.5
Impact:                 Increased Privileges
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-023
		 =================================

Topic:		sendmail smrsh bypass vulnerability

Version:	NetBSD-current:	source prior to October 4, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		prior to/including sendmail-8.12.6

Severity:	bypassing local access control

Fixed:		NetBSD-current:		October 4, 2002
		NetBSD-1.6 branch:	October 4, 2002
					(1.6.1 will include the fix)
		NetBSD-1.5 branch:	October 4, 2002
		pkgsrc:			sendmail-8.12.6nb1 or later


Abstract
========

If smrsh (sendmail restricted shell) is in use with sendmail,
local user can bypass access restrictions imposed by smrsh.


Technical Details
=================

http://www.sendmail.org/smrsh.adv.txt


Solutions and Workarounds
=========================

If your system uses smrsh, your system is vulnerable.
If you see lines matching "smrsh" in /etc/mail/sendmail.cf, you are using
smrsh.

	% grep smrsh /etc/mail/sendmail.cf

Even if you are not using smrsh, we encourage you to upgrade smrsh binary.

The following instructions describe how to upgrade your smrsh
binaries by updating your source tree and rebuilding and
installing a new version of smrsh.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-10-04
	should be upgraded to NetBSD-current dated 2002-10-04 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		gnu/dist/sendmail/smrsh

	To update from CVS, re-build, and re-install smrsh:
		# cd src
		# cvs update -d -P gnu/dist/sendmail/smrsh

		# cd gnu/usr.sbin/sendmail/smrsh
		# make cleandir dependall
		# make install


* NetBSD 1.6:

	Systems running NetBSD 1.6 dated from before 2002-10-04
	should be upgraded to NetBSD 1.6 dated 2002-10-04 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		gnu/dist/sendmail/smrsh

	To update from CVS, re-build, and re-install smrsh:
		# cd src
		# cvs update -d -P gnu/dist/sendmail/smrsh

		# cd gnu/usr.sbin/sendmail/smrsh
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 dated from before 2002-10-04
	should be upgraded to NetBSD 1.5 dated 2002-10-04 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		gnu/dist/sendmail/smrsh

	To update from CVS, re-build, and re-install smrsh:
		# cd src
		# cvs update -d -P gnu/dist/sendmail/smrsh

		# cd gnu/usr.sbin/sendmail/smrsh
		# make cleandir dependall
		# make install


Thanks To
=========

Jeremy C. Reed for bringing the issue into attention via PR#18516.


Revision History
================

	2002-10-08	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-023.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-023.txt,v 1.4 2002/10/08 03:43:36 itojun Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPaJUfT5Ru2/4N2IFAQEHtwQAwTTwQ8N2w4MvGDhi24xalrYhY9Q4Z113
Q/y6cM3+JEufzlEJPpMnWyWHHBYMn7utmvn9kie724IFDBOEKYXCcYFYWWZN54mD
mnXNa3g10ZOpMR2iA5P3wTFGCZPOaeJkVZAI0UwZ95OIXCkPtZ6TVqs0ioUf4hyQ
lYc69Hwpg+Q=
=+/Rb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPaMHyih9+71yA2DNAQE35gP8Dth0yRflxDuGWK7ilCpq/Oz/eiRh429G
r6VLZAlPsJPHZjzj/9TvsHbZGxpsNsPhfXyoPDMOyj3aF+AiTl86Ko77hcEl9GEN
6ajNgzfyPeTTiv7HXM4xLvY7ZEaWeXdONc+6+6WQaTbzbEv6f5ghzCicn9TYs80f
YbRrCXaOlXI=
=FtRQ
-----END PGP SIGNATURE-----