The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Sendmail: denial of service via MIME

Synthesis of the vulnerability 

An attacker can use long MIME lines in order to generate an error in Sendmail.
Impacted systems: Sendmail.
Severity of this alert: 2/4.
Creation date: 02/11/2007.
Références of this alert: VIGILANCE-VUL-7301.

Description of the vulnerability 

The MaxMimeHeaderLength directive, introduced in Sendmail version 8.10.0, defines maximal size of MIME headers:
  MaxMimeHeaderLength=max_total/max_each_parameter

When this directive is enabled (case by default), the mime8to7() function of sendmail/mime.c file does not correctly handle lines whose size reaches MAXLINE-1 characters. An error thus occurs. This error can stop the daemon.

An attacker can therefore send a malicious email in order to create a denial of service on Sendmail.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as Sendmail.

Our Vigil@nce team determined that the severity of this vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat announce.

Solutions for this threat 

Sendmail: version 8.14.2.
Version 8.14.2 is corrected:
  ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.2.tar.gz
  ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.2.tar.gz.sig
  ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.2.tar.Z
  ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.2.tar.Z.sig
MD5 :
  cf784b9f20c32949ae1f38f3eae29875 sendmail.8.14.2.tar.Z
  f788d6986f12a81ac958195b045a529d sendmail.8.14.2.tar.Z.sig
  1c1472365344ca8061d6453c43c9a831 sendmail.8.14.2.tar.gz
  2ae4b6175a08e8a6cda992db20141d81 sendmail.8.14.2.tar.gz.sig

Sendmail: workaround for MIME.
A workaround is to define MaxMimeHeaderLength to 0/0:
  O MaxMimeHeaderLength=0/0
  -OMaxMimeHeaderLength=0/0
  define(`confMAX_MIME_HEADER_LENGTH',0/0)
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability patch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.