|
|
|
Fixing sendmail vulnerability on Solaris (weirdness with patch and PATH)
|
|
|
As you probably already know (if anyone is even reading this) a new sendmail vulnerability came out yesterday. This one seems to affect nearly every version of sendmail, or, at least, every version that I'm running. From what I've read, it appears to be possible (but perhaps difficult) to get root (at least, that's what sendmail is usually running as) remotely. I'd heard enough to get me moving.
Before I get into the fix and the problems I ran into (mostly because I'm not a Solaris native), I want to show how easy (or difficult) it was to upgrade all the boxen that I'm responsible for.
1) Gentoo boxes
emerge sync
#syncronizes my portage tree with the rsync servers
emerge -up system
#pretend to upgrade all out of date packages
#I do this to check to make sure emerge isn't going to do
#anything weird
emerge -u system
#actually do the emerge
etc-update
#this is only neccessary if configuration files have changed
#as the result of a new version of software
2) RedHat boxes
up2date -p
#update my package list with RedHat (in case I have
#installed any rpms by hand since my last up2date)
up2date -u
#update all out-of-date packages
3) FreeBSD boxes
cvsup /etc/supfile
#update my src tree, ports tree and anything else I want
#by connecting to one of the freebsd cvsup servers
make buildworld
#build my system binaries and such from source
make installworld
#if there aren't any problems... install em
(note: normally I only need to do a portupgrade on FreeBSD, but sendmail is a part of the OS)
4) Solaris boxes
*cry*
do it all by hand
That said, here's what I ran into with Solaris.
First, I went to Sendmail's website and then clicked on the link for the patch instructions. What I didn't notice on this page was the footnote, "Note: make sure your patch program understands these diffs. Some versions (e.g., Solaris, maybe AIX (4.3.3ml10)) can not deal with them. In that case install GNU patch (on Solaris: try gpatch)." Crud.
So, I went off on my merry way trying to patch sendmail with Solaris's crappy patch program. I got this:
patch -p0 < sendmail.8.11.6.security.cr.patch
Looks like a unified context diff.
File to patch:
Ok. It didn't understand my patchfile. I think this was because the sendmail patch actually is patching several different source files. I didn't realize this at first so I just did a 'head' on the patch to see what it wanted to patch. I mistakenly thought it was just the sendmail/headers.c file. So, I entered that in and it barfed thusly:
File to patch: sendmail/headers.c
The next patch looks like a unified context diff.
Hunk #1 failed at line 3535.
1 out of 1 hunks failed: saving rejects to sendmail/headers.c.rej
The next patch looks like a unified context diff.
Hunk #1 failed at line 2297.
1 out of 1 hunks failed: saving rejects to sendmail/headers.c.rej
The next patch looks like a unified context diff.
Hunk #1 failed at line 333.
1 out of 1 hunks failed: saving rejects to sendmail/headers.c.rej
done
Now I realized what had happened. So, I went about getting the Gnu patch program from my handy SunFreeware mirror. I compiled and installed this and then to test it I did a 'patch -v'. Instead of it happily telling me what version it was, I got this:
#patch -v
patch: Invalid options.
patch: Usage: patch [-blNR] [-c|-e|-n] [-d dir] [-D define] [-i patchfile]\
[-o outfile] [-p num] [-r rejectfile] [file]
Allright, I thought, the old Solaris patch must be in my path before my Gnu patch. So, I did a 'which patch' and got this:
#which patch
/usr/local/bin/patch
That's weird, but I attribute it to the Solaris version of which (if you have ideas, please clue me in). I was tired of dickin' around at this point, though, so I just did a
#/usr/local/bin/patch -p0 < sendmail.8.11.6.security.cr.patch
and all was well. After I had patched the sendmail source, I could just do a
cd sendmail #from the sendmail-8.x.x directory
sh Build
sh Build install
/etc/init.d/sendmail stop
pgrep sendmail #to make sure all sendmail processes died
/etc/init.d/sendmail start
Now the crying could stop.
|
|
