Debian Bug report logs - #527862
libmilter1.0.1: segfault in libmilter - using milter-greylist and mimedefang - both dies

version graph

Package: libmilter1.0.1; Maintainer for libmilter1.0.1 is Jakub Safarik <jsafarik@ymail.com>; Source for libmilter1.0.1 is src:sendmail.

Reported by: Harald Jenny <harald@a-little-linux-box.at>

Date: Sat, 9 May 2009 02:03:01 UTC

Severity: important

Tags: patch, security

Found in versions sendmail/8.14.3-9.2, sendmail/8.14.3-5

Fixed in version sendmail/8.14.4-1

Done: Don Armstrong <don@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Sat, 09 May 2009 02:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Javier Kohan <jktmp01@gmail.com>:
New Bug report received and forwarded. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Sat, 09 May 2009 02:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Kohan <jktmp01@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmilter1.0.1: segfault in libmilter - using milter-greylist and mimedefang - both dies
Date: Fri, 08 May 2009 22:59:04 -0300
Package: libmilter1.0.1
Version: 8.14.3-5
Severity: important


Sometimes I get errors like this: 
May  8 19:15:16 rama1 kernel: [723703.161848] milter-greylist[4544]: segfault at 130 ip 7f5d46f67900 sp 44ff10f0 error 4 in libmilter.so.1.0.1[7f5d46f5c000+f000]
May  8 19:15:16 rama1 kernel: [723703.162967] mimedefang[4639]: segfault at 130 ip 7fe6f9b20900 sp 427670f0 error 4 in libmilter.so.1.0.1[7fe6f9b15000+f000]
 
I�'m using sendmail, milter-greylist and mimedefang. 
W
/home, /var/spool/mq* and /etc/mail are on a drbd volume but neither
/var/spool/MIMEDefang  nor /var/run/milter-greylist are. 
The hardware is a HP DL360, 3x 146G SAS (hardware) RAID5.

Thanks in advance.

Javier

 



-- Package-specific info:
Ouput of /usr/share/bug/libmilter1.0.1/script:

ls -alR /etc/mail:
lrwxrwxrwx 1 root root 17 Jan 28 18:16 /etc/mail -> ../drbd/etc/mail/

sendmail.conf:
DAEMON_NETMODE="Static";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="No";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10m";
QUEUE_PARMS="";
MSP_MODE="Cron";
MSP_INTERVAL="20m";
MSP_PARMS="";
MSP_MAILSTATS="${DAEMON_MAILSTATS}";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";


sendmail.mc:
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.13.4-3 2005-06-03 16:49:22 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4-SSL, Port=ssmtp, M=s')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS', `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `45')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`access_db')dnl
FEATURE(`greet_pause', `1500')dnl 1.5 seconds
FEATURE(`delay_checks')dnl
define(`confBAD_RCPT_THROTTLE',`6')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
LOCAL_CONFIG
MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m')dnl
FEATURE(`milter-greylist')dnl
define(`confINPUT_MAIL_FILTERS', `greylist,mimedefang')dnl
FEATURE(dnsbl,`combined.njabl.org',`"Message from "$&f " from server " $&{client_addr} " rejected - see http://njabl.org/cgi-bin/lookup.cgi?query="$&{client_addr}')
FEATURE(dnsbl,`cbl.abuseat.org',`"Message from "$&f " from server " $&{client_addr} " Blocked -  see http://cbl.abuseat.org/lookup.cgi?ip="$&{client_addr}')
FEATURE(dnsbl,`pbl.spamhaus.org',`"Message from "$&f " from server " $&{client_addr} " Blocked -  see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')
MASQUERADE_AS(`coospral.com.ar')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`limited_masquerade')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`smrsh')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
FEATURE(genericstable, `hash -o /etc/mail/genericstable.db')dnl
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(mailertable, `hash -o /etc/mail/mailertable.db')dnl
define(`confMAX_DAEMON_CHILDREN',`150')dnl
define(`confMAX_RCPTS_PER_MESSAGE',`550')dnl
define(`confMAX_MESSAGE_SIZE',`20480000')dnl
define(`confTO_IDENT',``5s'')dnl
define(`confSMTP_LOGIN_MSG',`$j servidor de correo preparado (No UCE); $b')dnl
define(`ALIAS_FILE',`/etc/mail/aliases, /etc/mail/listas')
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A')
FEATURE(`local_procmail')
MAILER_DEFINITIONS
MAILER(local)dnl
MAILER(smtp)dnl

submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.13.8-3 2006-12-08 20:21:10 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
FEATURE(`msp', `[127.0.0.1]', `MSA')dnl


-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libmilter1.0.1 depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries

libmilter1.0.1 recommends no packages.

libmilter1.0.1 suggests no packages.

Versions of packages sensible-mda depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  maildrop                      2.0.4-3    mail delivery agent with filtering
ii  procmail                      3.22-16    Versatile e-mail processor
ii  sendmail-bin [mail-transport- 8.14.3-5   powerful, efficient, and scalable 

Versions of packages rmail depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  libldap-2.4-2                 2.4.11-1   OpenLDAP libraries
ii  sendmail-bin [mail-transport- 8.14.3-5   powerful, efficient, and scalable 

Versions of packages libmilter0 depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Sat, 09 May 2009 13:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Richard A Nelson <cowboy@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Sat, 09 May 2009 13:54:05 GMT) Full text and rfc822 format available.

Message #10 received at 527862@bugs.debian.org (full text, mbox):

From: Richard A Nelson <cowboy@debian.org>
To: Javier Kohan <jktmp01@gmail.com>, 527862@bugs.debian.org
Subject: Re: Bug#527862: libmilter1.0.1: segfault in libmilter - using milter-greylist and mimedefang - both dies
Date: Sat, 9 May 2009 06:51:29 -0700 (PDT)
On Fri, 8 May 2009, Javier Kohan wrote:

> Package: libmilter1.0.1
> Version: 8.14.3-5
> Severity: important
>
>
> Sometimes I get errors like this:
> May  8 19:15:16 rama1 kernel: [723703.161848] milter-greylist[4544]: segfault at 130 ip 7f5d46f67900 sp 44ff10f0 error 4 in libmilter.so.1.0.1[7f5d46f5c000+f000]
> May  8 19:15:16 rama1 kernel: [723703.162967] mimedefang[4639]: segfault at 130 ip 7fe6f9b20900 sp 427670f0 error 4 in libmilter.so.1.0.1[7fe6f9b15000+f000]

Well, at least the error seems to be in the same spot

> I?'m using sendmail, milter-greylist and mimedefang.

Ditto, and haven't seen that error yet (on either x86 or amd64).

> /home, /var/spool/mq* and /etc/mail are on a drbd volume but neither
> /var/spool/MIMEDefang  nor /var/run/milter-greylist are.
> The hardware is a HP DL360, 3x 146G SAS (hardware) RAID5.

Nice
>
> Thanks in advance.

At this point, all I do is ask you to install the libmilter1.0.1-dbg
package will give more information on the next segfault.

I am on the road for the next two weeks, but will check mail as often as
possible

-- 
Rick Nelson
Due to the closed source development model of XFree it is impossible
to support, or even speculate about, features in pre- or beta releases
of XFree.
		-- Marcus Sundberg




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Sun, 10 May 2009 02:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Javier Kohan <jktmp01@gmail.com>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Sun, 10 May 2009 02:06:03 GMT) Full text and rfc822 format available.

Message #15 received at 527862@bugs.debian.org (full text, mbox):

From: Javier Kohan <jktmp01@gmail.com>
To: Richard A Nelson <cowboy@debian.org>
Cc: 527862@bugs.debian.org
Subject: Re: Bug#527862: libmilter1.0.1: segfault in libmilter - using milter-greylist and mimedefang - both dies
Date: Sat, 09 May 2009 23:02:58 -0300
Richard A Nelson escribió:
> On Fri, 8 May 2009, Javier Kohan wrote:
>
>> Package: libmilter1.0.1
>> Version: 8.14.3-5
>> Severity: important
>>
>>
>> Sometimes I get errors like this:
>> May  8 19:15:16 rama1 kernel: [723703.161848] milter-greylist[4544]:
>> segfault at 130 ip 7f5d46f67900 sp 44ff10f0 error 4 in
>> libmilter.so.1.0.1[7f5d46f5c000+f000]
>> May  8 19:15:16 rama1 kernel: [723703.162967] mimedefang[4639]:
>> segfault at 130 ip 7fe6f9b20900 sp 427670f0 error 4 in
>> libmilter.so.1.0.1[7fe6f9b15000+f000]
>
>> I?'m using sendmail, milter-greylist and mimedefang.
>
> Ditto, and haven't seen that error yet (on either x86 or amd64).
Yep. I have several servers running this config with etch, and a few (2
o 3) with lenny, and this one is the only where it happens.

>
>> /home, /var/spool/mq* and /etc/mail are on a drbd volume but neither
>> /var/spool/MIMEDefang  nor /var/run/milter-greylist are.
>> The hardware is a HP DL360, 3x 146G SAS (hardware) RAID5.
Forgot to mention, we use heartbeat combined with drbd to give HA to
mail and web.
As I mentioned before, mimedefang an greylist sockets are on plain block
devices, not drbd.

> Nice
>>
>> Thanks in advance.
>
> At this point, all I do is ask you to install the libmilter1.0.1-dbg
> package will give more information on the next segfault.
>
Done (both libmilter and libmilter-dbg installed, is it right ?).
Do you need me to do something else to help find the problem ?

It didn´t happen again, but last time took more than a week to repeat.
For now, I installed a script running from cron to restart the processes
in case they go down.

> I am on the road for the next two weeks, but will check mail as often as
> possible
>

Thanks again.

Regards,

      Javier





Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Fri, 12 Jun 2009 20:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jose-Marcio.Martins@mines-paristech.fr:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Fri, 12 Jun 2009 20:24:02 GMT) Full text and rfc822 format available.

Message #20 received at 527862@bugs.debian.org (full text, mbox):

From: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
To: 527862@bugs.debian.org, cowboy@debian.org
Subject: Libmilter patch
Date: Fri, 12 Jun 2009 22:20:11 +0200
[Message part 1 (text/plain, inline)]
In debian 5.0, _FFR_WORKERS_POOL is enabled by default. I'm running this for many years on 
 some OSs, including Debian Etch and Lenny. There is a bug in the WORKERS_POOL feature 
which can segfaults and kill the filter when old staled connections are closed.

I'm attaching a patch which corrects this bug and also some other minor harmless bugs.

This patch will be included in the next release of sendmail.



[worker.c.p5 (text/plain, inline)]
--- worker.c.org	2007-12-03 23:06:05.000000000 +0100
+++ worker.c	2009-06-12 19:46:17.000000000 +0200
@@ -328,6 +328,7 @@
 	int dim_pfd = 0;
 	bool rebuild_set = true;
 	int pcnt = 0; /* error count for poll() failures */
+	time_t lastcheck;
 
 	Tskmgr.tm_tid = sthread_get_id();
 	if (pthread_detach(Tskmgr.tm_tid) != 0)
@@ -345,12 +346,12 @@
 	}
 	dim_pfd = PFD_STEP;
 
+	lastcheck = time(NULL);
 	for (;;)
 	{
 		SMFICTX_PTR ctx;
-		int nfd, rfd, i;
+		int nfd = 0, rfd, i;
 		time_t now;
-		time_t lastcheck;
 
 		POOL_LEV_DPRINTF(4, ("Let's %s again...", WAITFN));
 
@@ -364,20 +365,20 @@
 		/* check for timed out sessions? */
 		if (lastcheck + DT_CHECK_OLD_SESSIONS < now)
 		{
-			SM_TAILQ_FOREACH(ctx, &WRK_CTX_HEAD, ctx_link)
+			ctx = SM_TAILQ_FIRST(&WRK_CTX_HEAD);
+			while (ctx != SM_TAILQ_END(&WRK_CTX_HEAD))
 			{
+				SMFICTX_PTR ctx_nxt;
+
+				ctx_nxt = SM_TAILQ_NEXT(ctx, ctx_link);
 				if (ctx->ctx_wstate == WKST_WAITING)
 				{
 					if (ctx->ctx_wait == 0)
-					{
 						ctx->ctx_wait = now;
-						continue;
-					}
-
-					/* if session timed out, close it */
-					if (ctx->ctx_wait + OLD_SESSION_TIMEOUT
-					    < now)
+					else if (ctx->ctx_wait + OLD_SESSION_TIMEOUT
+						 < now)
 					{
+						/* if session timed out, close it */
 						sfsistat (*fi_close) __P((SMFICTX *));
 
 						POOL_LEV_DPRINTF(4,
@@ -389,10 +390,9 @@
 							(void) (*fi_close)(ctx);
 
 						mi_close_session(ctx);
-						ctx = SM_TAILQ_FIRST(&WRK_CTX_HEAD);
-						continue;
 					}
 				}
+				ctx = ctx_nxt;
 			}
 			lastcheck = now;
 		}
@@ -465,6 +465,7 @@
 					}
 				}
 			}
+			rebuild_set = false;
 		}
 
 		TASKMGR_UNLOCK();

Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Mon, 13 Jul 2009 16:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bjørn Mork <bjorn@mork.no>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Mon, 13 Jul 2009 16:30:05 GMT) Full text and rfc822 format available.

Message #25 received at 527862@bugs.debian.org (full text, mbox):

From: Bjørn Mork <bjorn@mork.no>
To: 527862@bugs.debian.org
Cc: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
Subject: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Mon, 13 Jul 2009 18:16:33 +0200
[Message part 1 (text/plain, inline)]
tags 527862 + patch security
thanks

The last few days I've had both clamav-milter and spamass-milter segfault on
two separate servers both running Debian lenny:

Jul 13 04:59:53 canardo kernel: [9021793.803024] spamass-milter[22767]: segfault at 130 ip 7f94da384900 sp 429190e0 error 4 in libmilter.so.1.0.1[7f94da379000+f000]
Jul 13 05:00:33 canardo kernel: [9021863.827618] clamav-milter[22887]: segfault at 130 ip 7f7aaa945900 sp 4234b0f0 error 4 in libmilter.so.1.0.1[7f7aaa93a000+f000]

Jul 13 05:55:57 huey kernel: [4728098.560126] spamass-milter[20935]: segfault at 130 ip 7fa1b92d1900 sp 4178a0e0 error 4 in libmilter.so.1.0.1[7fa1b92c6000+f000]

This might be because they are handling mail for some of the same
domains, and that a single buggy mail server is bringing them both down.
But I believe it is still a somewhat serious security issue, as it is
obviously possible to bring down virus and spam filtering by a remote
connection.

I'm now testing a modified version of the patch attached to this bug,
and this seems to fix the problem.  Please consider adding this to Lenny
as a security fix.  Thanks.

Note that I suspect that the patch has a bug which prevents it from
working (all milters would just hang with the original patch):

> -             int nfd, rfd, i;
> +             int nfd = 0, rfd, i;

I don't think setting nfd = 0 at this point makes sense. If we hit

		/* timeout */
		if (rfd == 0)
			continue;

then the loop will continue with rebuild_set == false and nfd == 0.

I'm attaching a new patch where this is fixed.



Bjørn

[libmilter-fix.patch (text/x-diff, inline)]
--- ./libmilter/worker.c.bak	2009-07-13 17:41:07.000000000 +0200
+++ ./libmilter/worker.c	2009-07-13 17:47:31.000000000 +0200
@@ -328,6 +328,7 @@
 	int dim_pfd = 0;
 	bool rebuild_set = true;
 	int pcnt = 0; /* error count for poll() failures */
+	time_t lastcheck;
 
 	Tskmgr.tm_tid = sthread_get_id();
 	if (pthread_detach(Tskmgr.tm_tid) != 0)
@@ -345,12 +346,12 @@
 	}
 	dim_pfd = PFD_STEP;
 
+	lastcheck = time(NULL);
 	for (;;)
 	{
 		SMFICTX_PTR ctx;
 		int nfd, rfd, i;
 		time_t now;
-		time_t lastcheck;
 
 		POOL_LEV_DPRINTF(4, ("Let's %s again...", WAITFN));
 
@@ -364,20 +365,20 @@
 		/* check for timed out sessions? */
 		if (lastcheck + DT_CHECK_OLD_SESSIONS < now)
 		{
-			SM_TAILQ_FOREACH(ctx, &WRK_CTX_HEAD, ctx_link)
+			ctx = SM_TAILQ_FIRST(&WRK_CTX_HEAD);
+			while (ctx != SM_TAILQ_END(&WRK_CTX_HEAD))
 			{
+				SMFICTX_PTR ctx_nxt;
+
+				ctx_nxt = SM_TAILQ_NEXT(ctx, ctx_link);
 				if (ctx->ctx_wstate == WKST_WAITING)
 				{
 					if (ctx->ctx_wait == 0)
-					{
 						ctx->ctx_wait = now;
-						continue;
-					}
-
-					/* if session timed out, close it */
-					if (ctx->ctx_wait + OLD_SESSION_TIMEOUT
-					    < now)
+					else if (ctx->ctx_wait + OLD_SESSION_TIMEOUT
+						 < now)
 					{
+						/* if session timed out, close it */
 						sfsistat (*fi_close) __P((SMFICTX *));
 
 						POOL_LEV_DPRINTF(4,
@@ -389,10 +390,9 @@
 							(void) (*fi_close)(ctx);
 
 						mi_close_session(ctx);
-						ctx = SM_TAILQ_FIRST(&WRK_CTX_HEAD);
-						continue;
 					}
 				}
+				ctx = ctx_nxt;
 			}
 			lastcheck = now;
 		}
@@ -465,6 +465,7 @@
 					}
 				}
 			}
+			rebuild_set = false;
 		}
 
 		TASKMGR_UNLOCK();

Tags added: patch, security Request was from Bjørn Mork <bjorn@mork.no> to control@bugs.debian.org. (Mon, 13 Jul 2009 16:30:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Mon, 13 Jul 2009 16:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jose-Marcio.Martins@mines-paristech.fr:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Mon, 13 Jul 2009 16:54:02 GMT) Full text and rfc822 format available.

Message #32 received at 527862@bugs.debian.org (full text, mbox):

From: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
To: Bjørn Mork <bjorn@mork.no>
Cc: 527862@bugs.debian.org
Subject: Re: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Mon, 13 Jul 2009 18:55:48 +0200
[Message part 1 (text/plain, inline)]
Hello,

Bjørn Mork wrote:
> tags 527862 + patch security
> thanks
> 
> The last few days I've had both clamav-milter and spamass-milter segfault on
> two separate servers both running Debian lenny:
> 
> Jul 13 04:59:53 canardo kernel: [9021793.803024] spamass-milter[22767]: segfault at 130 ip 7f94da384900 sp 429190e0 error 4 in libmilter.so.1.0.1[7f94da379000+f000]
> Jul 13 05:00:33 canardo kernel: [9021863.827618] clamav-milter[22887]: segfault at 130 ip 7f7aaa945900 sp 4234b0f0 error 4 in libmilter.so.1.0.1[7f7aaa93a000+f000]
> 
> Jul 13 05:55:57 huey kernel: [4728098.560126] spamass-milter[20935]: segfault at 130 ip 7fa1b92d1900 sp 4178a0e0 error 4 in libmilter.so.1.0.1[7fa1b92c6000+f000]
> 
> This might be because they are handling mail for some of the same
> domains, and that a single buggy mail server is bringing them both down.
> But I believe it is still a somewhat serious security issue, as it is
> obviously possible to bring down virus and spam filtering by a remote
> connection.
> 
> I'm now testing a modified version of the patch attached to this bug,
> and this seems to fix the problem.  Please consider adding this to Lenny
> as a security fix.  Thanks.

I'm attaching the last version of worker.c I'm using. Ther's a little difference.

But I have some comments :

I'm the author of the pool of workers patch, but I'm not from sendmail. This last patch 
will be integrate in the next release of sendmail. While it's not out, I'll probably put 
it available for download at my web site.

I'm running the original patch on my mail servers for around 5 years without problems. 
These servers are under Solaris, FreeBSD or Debian Etch or Lenny... The bug which were 
talking about affects only a particular situation when very old stale connections are 
closed by libmilter : connections inactive for more than 2 hours. So, it may be hard to 
detect if your patch solves the problem or not.

There may be some confusion about the errors. And maybe the reason your milters are 
crashing may not be this bug. There is a situation where it's possible to do a DoS and 
very most milters crash (but not all). This is related to the number of file descriptors 
in use. Do you know how many connections the milter is handling when it crashes ??? If 
there are some hundreds the reason maybe this other problem, which is a bug of most 
milters, not libmilter.

[worker.c (text/x-csrc, inline)]
/*
 *  Copyright (c) 2003-2004, 2007 Sendmail, Inc. and its suppliers.
 *	All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 *
 * Contributed by Jose Marcio Martins da Cruz - Ecole des Mines de Paris
 *   Jose-Marcio.Martins@ensmp.fr
 */

#include <sm/gen.h>
SM_RCSID("@(#)$Id: worker.c,v 8.10 2007/12/03 22:06:05 ca Exp $")

#include "libmilter.h"

#if _FFR_WORKERS_POOL

typedef struct taskmgr_S taskmgr_T;

#define TM_SIGNATURE		0x23021957

struct taskmgr_S
{
	long		tm_signature; /* has the controller been initialized */
	sthread_t	tm_tid;	/* thread id of controller */
	smfi_hd_T	tm_ctx_head; /* head of the linked list of contexts */

	int		tm_nb_workers;	/* number of workers in the pool */
	int		tm_nb_idle;	/* number of workers waiting */

	int		tm_p[2];	/* poll control pipe */

	smutex_t	tm_w_mutex;	/* linked list access mutex */
	scond_t		tm_w_cond;	/* */
};

static taskmgr_T     Tskmgr = {0};

#define WRK_CTX_HEAD	Tskmgr.tm_ctx_head

#define RD_PIPE	(Tskmgr.tm_p[0])
#define WR_PIPE	(Tskmgr.tm_p[1])

#define PIPE_SEND_SIGNAL()						\
	do								\
	{								\
		char evt = 0x5a;					\
		int fd = WR_PIPE;					\
		if (write(fd, &evt, sizeof(evt)) != sizeof(evt))	\
			smi_log(SMI_LOG_ERR,				\
				"Error writing to event pipe: %s",	\
				sm_errstring(errno));			\
	} while (0)

#ifndef USE_PIPE_WAKE_POLL
# define USE_PIPE_WAKE_POLL 1
#endif /* USE_PIPE_WAKE_POLL */

/* poll check periodicity (default 10000 - 10 s) */
#define POLL_TIMEOUT   10000

/* worker conditional wait timeout (default 10 s) */
#define COND_TIMEOUT     10

/* functions */
static int mi_close_session __P((SMFICTX_PTR));

static void *mi_worker __P((void *));
static void *mi_pool_controller __P((void *));

static int mi_list_add_ctx __P((SMFICTX_PTR));
static int mi_list_del_ctx __P((SMFICTX_PTR));

/*
**  periodicity of cleaning up old sessions (timedout)
**	sessions list will be checked to find old inactive
**	sessions each DT_CHECK_OLD_SESSIONS sec
*/

#define DT_CHECK_OLD_SESSIONS   600

#ifndef OLD_SESSION_TIMEOUT
# define OLD_SESSION_TIMEOUT      ctx->ctx_timeout
#endif /* OLD_SESSION_TIMEOUT */

/* session states - with respect to the pool of workers */
#define WKST_INIT		0	/* initial state */
#define WKST_READY_TO_RUN	1	/* command ready do be read */
#define WKST_RUNNING		2	/* session running on a worker */
#define WKST_READY_TO_WAIT	3	/* session just finished by a worker */
#define WKST_WAITING		4	/* waiting for new command */
#define WKST_CLOSING		5	/* session finished */

#ifndef MIN_WORKERS
# define MIN_WORKERS	2  /* minimum number of threads to keep around */
#endif

#define MIN_IDLE	1  /* minimum number of idle threads */


/*
**  Macros for threads and mutex management
*/

#define TASKMGR_LOCK()							\
	do								\
	{								\
		if (!smutex_lock(&Tskmgr.tm_w_mutex))			\
			smi_log(SMI_LOG_ERR, "TASKMGR_LOCK error");	\
	} while (0)

#define TASKMGR_UNLOCK()						\
	do								\
	{								\
		if (!smutex_unlock(&Tskmgr.tm_w_mutex))			\
			smi_log(SMI_LOG_ERR, "TASKMGR_UNLOCK error");	\
	} while (0)

#define	TASKMGR_COND_WAIT()						\
	scond_timedwait(&Tskmgr.tm_w_cond, &Tskmgr.tm_w_mutex, COND_TIMEOUT)

#define	TASKMGR_COND_SIGNAL()						\
	do								\
	{								\
		if (scond_signal(&Tskmgr.tm_w_cond) != 0)		\
			smi_log(SMI_LOG_ERR, "TASKMGR_COND_SIGNAL error"); \
	} while (0)

#define LAUNCH_WORKER(ctx)						\
	do								\
	{								\
		int r;							\
		sthread_t tid;						\
									\
		if ((r = thread_create(&tid, mi_worker, ctx)) != 0)	\
			smi_log(SMI_LOG_ERR, "LAUNCH_WORKER error: %s",\
				sm_errstring(r));			\
	} while (0)

#if POOL_DEBUG
# define POOL_LEV_DPRINTF(lev, x)					\
	do {								\
		if ((lev) < ctx->ctx_dbg)				\
			sm_dprintf x;					\
	} while (0)
#else /* POOL_DEBUG */
# define POOL_LEV_DPRINTF(lev, x)
#endif /* POOL_DEBUG */

/*
**  MI_START_SESSION -- Start a session in the pool of workers
**
**	Parameters:
**		ctx -- context structure
**
**	Returns:
**		MI_SUCCESS/MI_FAILURE
*/

int
mi_start_session(ctx)
	SMFICTX_PTR ctx;
{
	static long id = 0;

	SM_ASSERT(Tskmgr.tm_signature == TM_SIGNATURE);
	SM_ASSERT(ctx != NULL);
	POOL_LEV_DPRINTF(4, ("PIPE r=[%d] w=[%d]", RD_PIPE, WR_PIPE));
	TASKMGR_LOCK();

	if (mi_list_add_ctx(ctx) != MI_SUCCESS)
	{
		TASKMGR_UNLOCK();
		return MI_FAILURE;
	}

	ctx->ctx_sid = id++;

	/* if there is an idle worker, signal it, otherwise start new worker */
	if (Tskmgr.tm_nb_idle > 0)
	{
		ctx->ctx_wstate = WKST_READY_TO_RUN;
		TASKMGR_COND_SIGNAL();
	}
	else
	{
		ctx->ctx_wstate = WKST_RUNNING;
		LAUNCH_WORKER(ctx);
	}
	TASKMGR_UNLOCK();
	return MI_SUCCESS;
}

/*
**  MI_CLOSE_SESSION -- Close a session and clean up data structures
**
**	Parameters:
**		ctx -- context structure
**
**	Returns:
**		MI_SUCCESS/MI_FAILURE
*/

static int
mi_close_session(ctx)
	SMFICTX_PTR ctx;
{
	SM_ASSERT(ctx != NULL);

	(void) mi_list_del_ctx(ctx);
	if (ValidSocket(ctx->ctx_sd))
	{
		(void) closesocket(ctx->ctx_sd);
		ctx->ctx_sd = INVALID_SOCKET;
	}
	if (ctx->ctx_reply != NULL)
	{
		free(ctx->ctx_reply);
		ctx->ctx_reply = NULL;
	}
	if (ctx->ctx_privdata != NULL)
	{
		smi_log(SMI_LOG_WARN, "%s: private data not NULL",
			ctx->ctx_smfi->xxfi_name);
	}
	mi_clr_macros(ctx, 0);
	free(ctx);

	return MI_SUCCESS;
}

/*
**  MI_POOL_CONTROLER_INIT -- Launch the worker pool controller
**		Must be called before starting sessions.
**
**	Parameters:
**		none
**
**	Returns:
**		MI_SUCCESS/MI_FAILURE
*/

int
mi_pool_controller_init()
{
	sthread_t tid;
	int r, i;

	if (Tskmgr.tm_signature == TM_SIGNATURE)
		return MI_SUCCESS;

	SM_TAILQ_INIT(&WRK_CTX_HEAD);
	Tskmgr.tm_tid = (sthread_t) -1;
	Tskmgr.tm_nb_workers = 0;
	Tskmgr.tm_nb_idle = 0;

	if (pipe(Tskmgr.tm_p) != 0)
	{
		smi_log(SMI_LOG_ERR, "can't create event pipe: %s",
			sm_errstring(r));
		return MI_FAILURE;
	}

	(void) smutex_init(&Tskmgr.tm_w_mutex);
	(void) scond_init(&Tskmgr.tm_w_cond);

	/* Launch the pool controller */
	if ((r = thread_create(&tid, mi_pool_controller, (void *) NULL)) != 0)
	{
		smi_log(SMI_LOG_ERR, "can't create controller thread: %s",
			sm_errstring(r));
		return MI_FAILURE;
	}
	Tskmgr.tm_tid = tid;
	Tskmgr.tm_signature = TM_SIGNATURE;

	/* Create the pool of workers */
	for (i = 0; i < MIN_WORKERS; i++)
	{
		if ((r = thread_create(&tid, mi_worker, (void *) NULL)) != 0)
		{
			smi_log(SMI_LOG_ERR, "can't create workers crew: %s",
				sm_errstring(r));
			return MI_FAILURE;
		}
	}

	return MI_SUCCESS;
}

/*
**  MI_POOL_CONTROLLER -- manage the pool of workers
**	This thread must be running when listener begins
**	starting sessions
**
**	Parameters:
**		arg -- unused
**
**	Returns:
**		NULL
**
**	Control flow:
**		for (;;)
**			Look for timed out sessions
**			Select sessions to wait for sendmail command
**			Poll set of file descriptors
**			if timeout
**				continue
**			For each file descriptor ready
**				launch new thread if no worker available
**				else
**				signal waiting worker
*/

/* Poll structure array (pollfd) size step */
#define PFD_STEP	256

#define WAIT_FD(i)	(pfd[i].fd)
#define WAITFN		"POLL"

static void *
mi_pool_controller(arg)
	void *arg;
{
	struct pollfd *pfd = NULL;
	int dim_pfd = 0;
	bool rebuild_set = true;
	int pcnt = 0; /* error count for poll() failures */
	time_t lastcheck;
	int nfd = 0;

	Tskmgr.tm_tid = sthread_get_id();
	if (pthread_detach(Tskmgr.tm_tid) != 0)
	{
		smi_log(SMI_LOG_ERR, "Failed to detach pool controller thread");
		return NULL;
	}

	pfd = (struct pollfd *) malloc(PFD_STEP * sizeof(struct pollfd));
	if (pfd == NULL)
	{
		smi_log(SMI_LOG_ERR, "Failed to malloc pollfd array: %s",
			sm_errstring(errno));
		return NULL;
	}
	dim_pfd = PFD_STEP;

	lastcheck = time(NULL);
	for (;;)
	{
		SMFICTX_PTR ctx;
		int rfd, i;
		time_t now;

		POOL_LEV_DPRINTF(4, ("Let's %s again...", WAITFN));

		if (mi_stop() != MILTER_CONT)
			break;

		TASKMGR_LOCK();

		now = time(NULL);

		/* check for timed out sessions? */
		if (lastcheck + DT_CHECK_OLD_SESSIONS < now)
		{
			ctx = SM_TAILQ_FIRST(&WRK_CTX_HEAD);
			while (ctx != SM_TAILQ_END(&WRK_CTX_HEAD))
			{
				SMFICTX_PTR ctx_nxt;

				ctx_nxt = SM_TAILQ_NEXT(ctx, ctx_link);
				if (ctx->ctx_wstate == WKST_WAITING)
				{
					if (ctx->ctx_wait == 0)
						ctx->ctx_wait = now;
					else if (ctx->ctx_wait + OLD_SESSION_TIMEOUT
						 < now)
					{
						/* if session timed out, close it */
						sfsistat (*fi_close) __P((SMFICTX *));

						POOL_LEV_DPRINTF(4,
							("Closing old connection: sd=%d id=%d",
							ctx->ctx_sd,
							ctx->ctx_sid));

						if ((fi_close = ctx->ctx_smfi->xxfi_close) != NULL)
							(void) (*fi_close)(ctx);

						mi_close_session(ctx);
					}
				}
				ctx = ctx_nxt;
			}
			lastcheck = now;
		}

		if (rebuild_set)
		{
			/*
			**  Initialize poll set.
			**  Insert into the poll set the file descriptors of
			**  all sessions waiting for a command from sendmail.
			*/

			nfd = 0;

			/* begin with worker pipe */
			pfd[nfd].fd = RD_PIPE;
			pfd[nfd].events = MI_POLL_RD_FLAGS;
			pfd[nfd].revents = 0;
			nfd++;

			SM_TAILQ_FOREACH(ctx, &WRK_CTX_HEAD, ctx_link)
			{
				/*
				**  update ctx_wait - start of wait moment -
				**  for timeout
				*/

				if (ctx->ctx_wstate == WKST_READY_TO_WAIT)
					ctx->ctx_wait = now;

				/* add the session to the pollfd array? */
				if ((ctx->ctx_wstate == WKST_READY_TO_WAIT) ||
				    (ctx->ctx_wstate == WKST_WAITING))
				{
					/*
					**  Resize the pollfd array if it
					**  isn't large enough.
					*/

					if (nfd >= dim_pfd)
					{
						struct pollfd *tpfd;
						size_t new;

						new = (dim_pfd + PFD_STEP) *
							sizeof(*tpfd);
						tpfd = (struct pollfd *)
							realloc(pfd, new);
						if (tpfd != NULL)
						{
							pfd = tpfd;
							dim_pfd += PFD_STEP;
						}
						else
						{
							smi_log(SMI_LOG_ERR,
								"Failed to realloc pollfd array:%s",
								sm_errstring(errno));
						}
					}

					/* add the session to pollfd array */
					if (nfd < dim_pfd)
					{
						ctx->ctx_wstate = WKST_WAITING;
						pfd[nfd].fd = ctx->ctx_sd;
						pfd[nfd].events = MI_POLL_RD_FLAGS;
						pfd[nfd].revents = 0;
						nfd++;
					}
				}
			}
			rebuild_set = false;
		}

		TASKMGR_UNLOCK();

		/* Everything is ready, let's wait for an event */
		rfd = poll(pfd, nfd, POLL_TIMEOUT);

		POOL_LEV_DPRINTF(4, ("%s returned: at epoch %d value %d",
			WAITFN, now, nfd));

		/* timeout */
		if (rfd == 0)
			continue;

		rebuild_set = true;

		/* error */
		if (rfd < 0)
		{
			if (errno == EINTR)
				continue;
			pcnt++;
			smi_log(SMI_LOG_ERR,
				"%s() failed (%s), %s",
				WAITFN, sm_errstring(errno),
				pcnt >= MAX_FAILS_S ? "abort" : "try again");

			if (pcnt >= MAX_FAILS_S)
				goto err;
		}
		pcnt = 0;

		/* something happened */
		for (i = 0; i < nfd; i++)
		{
			if (pfd[i].revents == 0)
				continue;

			POOL_LEV_DPRINTF(4, ("%s event on pfd[%d/%d]=%d ",
				WAITFN, i, nfd,
			WAIT_FD(i)));

			/* has a worker signaled an end of task ? */
			if (WAIT_FD(i) == RD_PIPE)
			{
				char evt = 0;
				int r = 0;

				POOL_LEV_DPRINTF(4,
					("PIPE WILL READ evt = %08X %08X",
					pfd[i].events, pfd[i].revents));

				if ((pfd[i].revents & MI_POLL_RD_FLAGS) != 0)
				{
					r = read(RD_PIPE, &evt, sizeof(evt));
					if (r == sizeof(evt))
					{
						/* Do nothing */
					}
				}

				POOL_LEV_DPRINTF(4,
					("PIPE DONE READ i=[%d] fd=[%d] r=[%d] evt=[%d]",
					i, RD_PIPE, r, evt));

				if ((pfd[i].revents & ~MI_POLL_RD_FLAGS) != 0)
				{
					/* Exception handling */
				}
				continue;
			}

			/* no ! sendmail wants to send a command */
			SM_TAILQ_FOREACH(ctx, &WRK_CTX_HEAD, ctx_link)
			{
				if (ctx->ctx_wstate != WKST_WAITING)
					continue;

				POOL_LEV_DPRINTF(4,
					("Checking context sd=%d - fd=%d ",
					ctx->ctx_sd , WAIT_FD(i)));

				if (ctx->ctx_sd == pfd[i].fd)
				{
					TASKMGR_LOCK();

					POOL_LEV_DPRINTF(4,
						("TASK: found %d for fd[%d]=%d",
						ctx->ctx_sid, i, WAIT_FD(i)));

					if (Tskmgr.tm_nb_idle > 0)
					{
						ctx->ctx_wstate = WKST_READY_TO_RUN;
						TASKMGR_COND_SIGNAL();
					}
					else
					{
						ctx->ctx_wstate = WKST_RUNNING;
						LAUNCH_WORKER(ctx);
					}
					TASKMGR_UNLOCK();
					break;
				}
			}

			POOL_LEV_DPRINTF(4,
				("TASK %s FOUND - Checking PIPE for fd[%d]",
				ctx != NULL ? "" : "NOT", WAIT_FD(i)));
		}
	}

  err:
	if (pfd != NULL)
		free(pfd);

	Tskmgr.tm_signature = 0;
	for (;;)
	{
		SMFICTX_PTR ctx;

		ctx = SM_TAILQ_FIRST(&WRK_CTX_HEAD);
		if (ctx == NULL)
			break;
		mi_close_session(ctx);
	}

	(void) smutex_destroy(&Tskmgr.tm_w_mutex);
	(void) scond_destroy(&Tskmgr.tm_w_cond);

	return NULL;
}

/*
**  Look for a task ready to run.
**  Value of ctx is NULL or a pointer to a task ready to run.
*/

#define GET_TASK_READY_TO_RUN()					\
	SM_TAILQ_FOREACH(ctx, &WRK_CTX_HEAD, ctx_link)		\
	{							\
		if (ctx->ctx_wstate == WKST_READY_TO_RUN)	\
		{						\
			ctx->ctx_wstate = WKST_RUNNING;		\
			break;					\
		}						\
	}

/*
**  MI_WORKER -- worker thread
**	executes tasks distributed by the mi_pool_controller
**	or by mi_start_session
**
**	Parameters:
**		arg -- pointer to context structure
**
**	Returns:
**		NULL pointer
*/

static void *
mi_worker(arg)
	void *arg;
{
	SMFICTX_PTR ctx;
	bool done;
	sthread_t t_id;
	int r;

	ctx = (SMFICTX_PTR) arg;
	done = false;
	if (ctx != NULL)
		ctx->ctx_wstate = WKST_RUNNING;

	t_id = sthread_get_id();
	if (pthread_detach(t_id) != 0)
	{
		smi_log(SMI_LOG_ERR, "Failed to detach worker thread");
		if (ctx != NULL)
			ctx->ctx_wstate = WKST_READY_TO_RUN;
		return NULL;
	}

	TASKMGR_LOCK();
	Tskmgr.tm_nb_workers++;
	TASKMGR_UNLOCK();

	while (!done)
	{
		if (mi_stop() != MILTER_CONT)
			break;

		/* let's handle next task... */
		if (ctx != NULL)
		{
			int res;

			POOL_LEV_DPRINTF(4,
				("worker %d: new task -> let's handle it",
				t_id));
			res = mi_engine(ctx);
			POOL_LEV_DPRINTF(4,
				("worker %d: mi_engine returned %d", t_id, res));

			TASKMGR_LOCK();
			if (res != MI_CONTINUE)
			{
				ctx->ctx_wstate = WKST_CLOSING;

				/*
				**  Delete context from linked list of
				**  sessions and close session.
				*/

				mi_close_session(ctx);
			}
			else
			{
				ctx->ctx_wstate = WKST_READY_TO_WAIT;

				POOL_LEV_DPRINTF(4,
					("writing to event pipe..."));

				/*
				**  Signal task controller to add new session
				**  to poll set.
				*/

				PIPE_SEND_SIGNAL();
			}
			TASKMGR_UNLOCK();
			ctx = NULL;

		}

		/* check if there is any task waiting to be served */
		TASKMGR_LOCK();

		GET_TASK_READY_TO_RUN();

		/* Got a task? */
		if (ctx != NULL)
		{
			TASKMGR_UNLOCK();
			continue;
		}

		/*
		**  if not, let's check if there is enough idle workers
		**	if yes: quit
		*/

		if (Tskmgr.tm_nb_workers > MIN_WORKERS &&
		    Tskmgr.tm_nb_idle > MIN_IDLE)
			done = true;

		POOL_LEV_DPRINTF(4, ("worker %d: checking ... %d %d", t_id,
			Tskmgr.tm_nb_workers, Tskmgr.tm_nb_idle + 1));

		if (done)
		{
			POOL_LEV_DPRINTF(4, ("worker %d: quitting... ", t_id));
			Tskmgr.tm_nb_workers--;
			TASKMGR_UNLOCK();
			continue;
		}

		/*
		**  if no task ready to run, wait for another one
		*/

		Tskmgr.tm_nb_idle++;
		TASKMGR_COND_WAIT();
		Tskmgr.tm_nb_idle--;

		/* look for a task */
		GET_TASK_READY_TO_RUN();

		TASKMGR_UNLOCK();
	}
	return NULL;
}

/*
**  MI_LIST_ADD_CTX -- add new session to linked list
**
**	Parameters:
**		ctx -- context structure
**
**	Returns:
**		MI_FAILURE/MI_SUCCESS
*/

static int
mi_list_add_ctx(ctx)
	SMFICTX_PTR ctx;
{
	SM_ASSERT(ctx != NULL);
	SM_TAILQ_INSERT_TAIL(&WRK_CTX_HEAD, ctx, ctx_link);
	return MI_SUCCESS;
}

/*
**  MI_LIST_DEL_CTX -- remove session from linked list when finished
**
**	Parameters:
**		ctx -- context structure
**
**	Returns:
**		MI_FAILURE/MI_SUCCESS
*/

static int
mi_list_del_ctx(ctx)
	SMFICTX_PTR ctx;
{
	SM_ASSERT(ctx != NULL);
	if (SM_TAILQ_EMPTY(&WRK_CTX_HEAD))
		return MI_FAILURE;

	SM_TAILQ_REMOVE(&WRK_CTX_HEAD, ctx, ctx_link);
	return MI_SUCCESS;
}
#endif /* _FFR_WORKERS_POOL */

Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Mon, 13 Jul 2009 17:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bjørn Mork <bjorn@mork.no>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Mon, 13 Jul 2009 17:21:02 GMT) Full text and rfc822 format available.

Message #37 received at 527862@bugs.debian.org (full text, mbox):

From: Bjørn Mork <bjorn@mork.no>
To: Jose-Marcio.Martins@mines-paristech.fr
Cc: 527862@bugs.debian.org
Subject: Re: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Mon, 13 Jul 2009 19:18:53 +0200
Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
writes:

> Hello,
>
> Bjørn Mork wrote:
>> tags 527862 + patch security
>> thanks
>>
>> The last few days I've had both clamav-milter and spamass-milter segfault on
>> two separate servers both running Debian lenny:
>>
>> Jul 13 04:59:53 canardo kernel: [9021793.803024] spamass-milter[22767]: segfault at 130 ip 7f94da384900 sp 429190e0 error 4 in libmilter.so.1.0.1[7f94da379000+f000]
>> Jul 13 05:00:33 canardo kernel: [9021863.827618] clamav-milter[22887]: segfault at 130 ip 7f7aaa945900 sp 4234b0f0 error 4 in libmilter.so.1.0.1[7f7aaa93a000+f000]
>>
>> Jul 13 05:55:57 huey kernel: [4728098.560126] spamass-milter[20935]: segfault at 130 ip 7fa1b92d1900 sp 4178a0e0 error 4 in libmilter.so.1.0.1[7fa1b92c6000+f000]
>>
>> This might be because they are handling mail for some of the same
>> domains, and that a single buggy mail server is bringing them both down.
>> But I believe it is still a somewhat serious security issue, as it is
>> obviously possible to bring down virus and spam filtering by a remote
>> connection.
>>
>> I'm now testing a modified version of the patch attached to this bug,
>> and this seems to fix the problem.  Please consider adding this to Lenny
>> as a security fix.  Thanks.
>
> I'm attaching the last version of worker.c I'm using. Ther's a little difference.
>
> But I have some comments :
>
> I'm the author of the pool of workers patch, but I'm not from
> sendmail. This last patch will be integrate in the next release of
> sendmail. While it's not out, I'll probably put it available for
> download at my web site.
>
> I'm running the original patch on my mail servers for around 5 years
> without problems. These servers are under Solaris, FreeBSD or Debian
> Etch or Lenny... 

With "nfd = 0" inside the "for (;;)" loop?  Strange.  I could not get
that to handle anything at all.


> The bug which were talking about affects only a
> particular situation when very old stale connections are closed by
> libmilter : connections inactive for more than 2 hours. So, it may be
> hard to detect if your patch solves the problem or not.

Yes, I understand that. 

But does that mean that the bug can be triggered by connecting to a
server running milters and leaving the connection open for more than 2
hours? 

If so, it should be fairly easy both to test and, unfortunately, to use
this for a DoS attack...

> There may be some confusion about the errors. And maybe the reason
> your milters are crashing may not be this bug. There is a situation
> where it's possible to do a DoS and very most milters crash (but not
> all). This is related to the number of file descriptors in use. Do you
> know how many connections the milter is handling when it crashes ???
> If there are some hundreds the reason maybe this other problem, which
> is a bug of most milters, not libmilter.

I'm afraid I don't know how many connections were open when the milters
crashed, but the mail statistics does not show any unusual activity.
And these servers are very lightly loaded (less than 1 message per
minute on average). 

Another hint pointing at libmilter, is the fact that both clamav-milter
and spamass-milter crashed at the same time



>
> static void *
> mi_pool_controller(arg)
> 	void *arg;
> {
> 	struct pollfd *pfd = NULL;
> 	int dim_pfd = 0;
> 	bool rebuild_set = true;
> 	int pcnt = 0; /* error count for poll() failures */
> 	time_t lastcheck;
> 	int nfd = 0;

I do note that nfd = 0 has moved here now.  Which will also fix that
bug.



Bjørn




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Mon, 13 Jul 2009 17:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jose-Marcio.Martins@mines-paristech.fr:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Mon, 13 Jul 2009 17:42:07 GMT) Full text and rfc822 format available.

Message #42 received at 527862@bugs.debian.org (full text, mbox):

From: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
To: Bjørn Mork <bjorn@mork.no>
Cc: 527862@bugs.debian.org
Subject: Re: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Mon, 13 Jul 2009 19:35:55 +0200
Bjørn Mork wrote:
> Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
> writes:
> 

>>
>> I'm running the original patch on my mail servers for around 5 years
>> without problems. These servers are under Solaris, FreeBSD or Debian
>> Etch or Lenny... 
> 
> With "nfd = 0" inside the "for (;;)" loop?  Strange.  I could not get
> that to handle anything at all.

As long as rebuild_set was always true, nfd will be set to a correct value, each time the 
loop was run.

> 
> 
>> The bug which were talking about affects only a
>> particular situation when very old stale connections are closed by
>> libmilter : connections inactive for more than 2 hours. So, it may be
>> hard to detect if your patch solves the problem or not.
> 
> Yes, I understand that. 
> 
> But does that mean that the bug can be triggered by connecting to a
> server running milters and leaving the connection open for more than 2
> hours? 
> 
> If so, it should be fairly easy both to test and, unfortunately, to use
> this for a DoS attack...

This is one condition, but not the only one.


> I'm afraid I don't know how many connections were open when the milters
> crashed, but the mail statistics does not show any unusual activity.
> And these servers are very lightly loaded (less than 1 message per
> minute on average).
> 
> Another hint pointing at libmilter, is the fact that both clamav-milter
> and spamass-milter crashed at the same time

Both subjects are related to libmilter. The second one is related to the number of file 
descriptors in use. There were many messages in comp.mail.sendmail newsgroup many years 
ago. It's up to milters to control the number of file descriptors in use, not to 
libmilter. So although it's related to libmilter, it's not a libmilter bug.

But when it happens, libmilter logs something at some syslog file.






Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Mon, 13 Jul 2009 20:03:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jose-Marcio.Martins@mines-paristech.fr:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Mon, 13 Jul 2009 20:03:15 GMT) Full text and rfc822 format available.

Message #47 received at 527862@bugs.debian.org (full text, mbox):

From: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
To: 527862@bugs.debian.org, Bjørn Mork <bjorn@mork.no>
Subject: Re: Bug#527862: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Mon, 13 Jul 2009 21:46:06 +0200
Jose-Marcio Martins da Cruz wrote:

> 
> I'm attaching the last version of worker.c I'm using. Ther's a little 
> difference.
>
> This last patch will be integrated in the next release of sendmail. While 
> it's not out, I'll probably put it available for download at my web site.

While sendmail-8.14.4 isn't out, the patched version of libmilter can be
downloaded here :

	http://j-chkmail.ensmp.fr/libmilter





Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Thu, 16 Jul 2009 00:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jose-Marcio.Martins@mines-paristech.fr:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Thu, 16 Jul 2009 00:30:02 GMT) Full text and rfc822 format available.

Message #52 received at 527862@bugs.debian.org (full text, mbox):

From: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
To: Bjørn Mork <bjorn@mork.no>, 527862@bugs.debian.org
Subject: Re: Bug#527862: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Thu, 16 Jul 2009 02:28:48 +0200
Bjørn Mork wrote:
> Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
> writes:

...

> I'm afraid I don't know how many connections were open when the milters
> crashed, but the mail statistics does not show any unusual activity.
> And these servers are very lightly loaded (less than 1 message per
> minute on average). 

Well... There are still something which intrigates me. The original version of the pool of 
works is running for more than two years on a Debian etch, which was upgraded to Lenny 
some time ago. But the MTA is postfix, not sendmail. An not a single crash...

A possible explanation is the timeouts set up on sendmail side.

This bug only generates a crash when an inactive connection was detected by libmilter (not 
by the MTA). So, if the MTA timeout for inactive connections is less than two hours, the 
connection will be closed by the MTA and the filter will never crash. I'm wondering if 
some of the default timeouts set by debian can't be bigger than two hours...

Can you tell me what are your timeout values ?




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Thu, 16 Jul 2009 07:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bjørn Mork <bjorn@mork.no>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Thu, 16 Jul 2009 07:00:02 GMT) Full text and rfc822 format available.

Message #57 received at 527862@bugs.debian.org (full text, mbox):

From: Bjørn Mork <bjorn@mork.no>
To: Jose-Marcio.Martins@mines-paristech.fr
Cc: 527862@bugs.debian.org
Subject: Re: Bug#527862: libmilter: Remote DoS? All milters on multiple servers segfaulting
Date: Thu, 16 Jul 2009 08:56:35 +0200
Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
writes:

> Well... There are still something which intrigates me. The original
> version of the pool of works is running for more than two years on a
> Debian etch, which was upgraded to Lenny some time ago. But the MTA is
> postfix, not sendmail. An not a single crash...

That's my experience with sendmail too.  Until a week ago.


> A possible explanation is the timeouts set up on sendmail side.
>
> This bug only generates a crash when an inactive connection was
> detected by libmilter (not by the MTA). So, if the MTA timeout for
> inactive connections is less than two hours, the connection will be
> closed by the MTA and the filter will never crash. I'm wondering if
> some of the default timeouts set by debian can't be bigger than two
> hours...

Is it somehow possible to avoid MTA timeout and still have libmilter
time out? 


> Can you tell me what are your timeout values ?

sendmail timeouts (I believe all these are Debian and/or sendmail
defaults):

# timeouts (many of these)
#O Timeout.initial=5m
#O Timeout.connect=5m
#O Timeout.aconnect=0s
O Timeout.iconnect=2m
#O Timeout.helo=5m
O Timeout.mail=2m
#O Timeout.rcpt=1h
O Timeout.datainit=2m
#O Timeout.datablock=1h
#O Timeout.datafinal=1h
O Timeout.rset=1m
O Timeout.quit=2m
#O Timeout.misc=2m
O Timeout.command=5m
O Timeout.ident=5s
#O Timeout.fileopen=60s
#O Timeout.control=2m
O Timeout.queuereturn=5d
#O Timeout.queuereturn.normal=5d
#O Timeout.queuereturn.urgent=2d
#O Timeout.queuereturn.non-urgent=7d
#O Timeout.queuereturn.dsn=5d
O Timeout.queuewarn=4h
#O Timeout.queuewarn.normal=4h
#O Timeout.queuewarn.urgent=1h
#O Timeout.queuewarn.non-urgent=12h
#O Timeout.queuewarn.dsn=4h
#O Timeout.hoststatus=30m
#O Timeout.resolver.retrans=5s
#O Timeout.resolver.retrans.first=5s
#O Timeout.resolver.retrans.normal=5s
#O Timeout.resolver.retry=4
#O Timeout.resolver.retry.first=4
#O Timeout.resolver.retry.normal=4
#O Timeout.lhlo=2m
O Timeout.auth=2m
O Timeout.starttls=2m



milter timeouts:
Xspamassassin, S=local:/var/run/spamass/spamass.sock, F=, T=S:4m;R:4m;E:10m
Xclamav, S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m



Bjørn




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Wed, 14 Oct 2009 11:21:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Wiesinger <sebastian@karotte.org>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Wed, 14 Oct 2009 11:21:11 GMT) Full text and rfc822 format available.

Message #62 received at 527862@bugs.debian.org (full text, mbox):

From: Sebastian Wiesinger <sebastian@karotte.org>
To: Debian Bug Tracking System <527862@bugs.debian.org>
Subject: libmilter1.0.1: dkim-milter and milter-greylist segfault in libmilter
Date: Wed, 14 Oct 2009 12:26:34 +0200
Package: libmilter1.0.1
Version: 8.14.3-5
Followup-For: Bug #527862


Hello,

I think I experienced the same bug tonight with two milter:

Oct 14 06:19:00 alita kernel: [4642846.303984] dkim-filter[29729]: segfault at 130 ip 00007f25820dc900 sp 000000041c080f0 error 4 in libmilter.so.1.0.1[7f25820d1000+f000]
Oct 14 06:19:00 alita kernel: [4642846.304074] milter-greylist[3548]: segfault at 130 ip 00007fa74cb17900 sp 00000000416810f0 error 4 in libmilter.so.1.0.1[7fa74cb0c000+f000]

I installed the -dbg Version of libmilter1.0.1 but I don't think it's
used by default?

# lsof -n -p 27735 | fgrep milter
dkim-filt 27735 dkim-filter  mem    REG                9,1   63440   6685052 /usr/lib/libmilter.so.1.0.1

Is there anything I should/could do to help your patch into the
repository?

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30.5 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libmilter1.0.1 depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries

libmilter1.0.1 recommends no packages.

libmilter1.0.1 suggests no packages.

Versions of packages sensible-mda depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  procmail                      3.22-16    Versatile e-mail processor
ii  sendmail-bin [mail-transport- 8.14.3-5   powerful, efficient, and scalable 

Versions of packages rmail depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  libldap-2.4-2                 2.4.11-1   OpenLDAP libraries
ii  sendmail-bin [mail-transport- 8.14.3-5   powerful, efficient, and scalable 

Versions of packages libmilter0 depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Tue, 20 Oct 2009 12:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jose-Marcio.Martins@mines-paristech.fr:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Tue, 20 Oct 2009 12:12:06 GMT) Full text and rfc822 format available.

Message #67 received at 527862@bugs.debian.org (full text, mbox):

From: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
To: Sebastian Wiesinger <sebastian@karotte.org>, 527862@bugs.debian.org
Subject: Re: Bug#527862: libmilter1.0.1: dkim-milter and milter-greylist segfault in libmilter
Date: Tue, 20 Oct 2009 13:34:43 +0200
Hello,

Sebastian Wiesinger wrote:
> Package: libmilter1.0.1
> Version: 8.14.3-5
> Followup-For: Bug #527862

There's a but in Lenny libmilter 1.0.1.

You shall :

* Apply the patch appearing in the bug web page
* get and install the patched libmilter at :
http://www.j-chkmail.org/download/libmilter/libmilter-workers-8.14.3-1.tgz

JM


-- 
 ---------------------------------------------------------------
 Jose Marcio MARTINS DA CRUZ           http://j-chkmail.ensmp.fr
 Ecole des Mines de Paris
 60, bd Saint Michel                      75272 - PARIS CEDEX 06
 mailto:Jose-Marcio.Martins@mines-paristech.fr




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Tue, 20 Oct 2009 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Wiesinger <sebastian@karotte.org>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Tue, 20 Oct 2009 15:15:03 GMT) Full text and rfc822 format available.

Message #72 received at 527862@bugs.debian.org (full text, mbox):

From: Sebastian Wiesinger <sebastian@karotte.org>
To: Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>
Cc: 527862@bugs.debian.org
Subject: Re: Bug#527862: libmilter1.0.1: dkim-milter and milter-greylist segfault in libmilter
Date: Tue, 20 Oct 2009 17:06:51 +0200
* Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr> [2009-10-20 13:40]:
>
> Hello,
>
> Sebastian Wiesinger wrote:
>> Package: libmilter1.0.1
>> Version: 8.14.3-5
>> Followup-For: Bug #527862
>
> There's a but in Lenny libmilter 1.0.1.
>
> You shall :
>
> * Apply the patch appearing in the bug web page
> * get and install the patched libmilter at :
> http://www.j-chkmail.org/download/libmilter/libmilter-workers-8.14.3-1.tgz

I applied the patch to the Debian Lenny sendmail version. After that I
get the following errors:

Oct 20 17:03:58 alita sm-mta[25848]: n9KF3kwv025848: Milter (greylist): timeout before data read, where=helo
Oct 20 17:03:58 alita sm-mta[25848]: n9KF3kwv025848: Milter (greylist): to error state
Oct 20 17:03:58 alita sm-mta[25847]: n9KF3kmF025847: Milter (greylist): timeout before data read, where=helo
Oct 20 17:03:58 alita sm-mta[25847]: n9KF3kmF025847: Milter (greylist): to error state
Oct 20 16:53:14 alita sm-mta[5753]: n9KEqqeP005753: Milter (dkim-filter): timeout before data read, where=mail
Oct 20 16:53:14 alita sm-mta[5753]: n9KEqqeP005753: Milter (dkim-filter): to error state

Rebuilding the milters didn't help.

Any ideas?

Regards,

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Tue, 05 Jan 2010 12:03:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrik Schindler <poc@pocnet.net>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Tue, 05 Jan 2010 12:03:14 GMT) Full text and rfc822 format available.

Message #77 received at 527862@bugs.debian.org (full text, mbox):

From: Patrik Schindler <poc@pocnet.net>
To: 527862@bugs.debian.org
Subject: More segfault
Date: Tue, 5 Jan 2010 12:54:52 +0100
I'm using Debian Lenny with a self-compiled vanilla sendmail 8.14.3  
(not the lenny-package) with stock libmilter from lenny-sendmail and  
lenny's spamass-milter. In the last three months, spamass-milter  
segfaulted only twice:

Jan  5 12:02:43 leela kernel: [1415670.277945] spamass-milter[2854]:  
segfault at a0 ip b7f469d0 sp b74a3350 error 4 in libmilter.so.1.0.1 
[b7f3c000+d000]

I can't see anything related in mail.log, "only" a few connections  
without doing anything a few minutes ago.

How can I track this occassional fault down further with the -dbg  
addon of the milter-lib? Didn't find this in the discussion-thread.

Thanks!

:wq! PoC






Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Tue, 05 Jan 2010 17:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Richard A Nelson <cowboy@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Tue, 05 Jan 2010 17:27:02 GMT) Full text and rfc822 format available.

Message #82 received at 527862@bugs.debian.org (full text, mbox):

From: Richard A Nelson <cowboy@debian.org>
To: Patrik Schindler <poc@pocnet.net>, 527862@bugs.debian.org
Cc: debian-bugs-dist@lists.debian.org
Subject: Re: Bug#527862: More segfault
Date: Tue, 5 Jan 2010 09:17:34 -0800 (PST)
On Tue, 5 Jan 2010, Patrik Schindler wrote:

> I'm using Debian Lenny with a self-compiled vanilla sendmail 8.14.3 (not the 
> lenny-package) with stock libmilter from lenny-sendmail and lenny's 
> spamass-milter.

I wouldn't mix self-compiled sendmail with a packaged libmilter - that
seems to be asking for issues if they aren't compiled with matching
options.

>In the last three months, spamass-milter segfaulted only twice:
>
> Jan  5 12:02:43 leela kernel: [1415670.277945] spamass-milter[2854]: segfault 
> at a0 ip b7f469d0 sp b74a3350 error 4 in libmilter.so.1.0.1[b7f3c000+d000]
>
> I can't see anything related in mail.log, "only" a few connections without 
> doing anything a few minutes ago.

I've seen a few segfaults in various apps after libc upgrades - the list
of things that need to be restarted on upgrades should probably be
converted into triggers (such that the effort/knowledge moves from glibc
postinst to the individual packages).

> How can I track this occassional fault down further with the -dbg addon of 
> the milter-lib? Didn't find this in the discussion-thread.

Not an easy task :(  If you can find an similarities in the logs at the
times of failure, it might be possible to re-create the issue whilst
having a debugger attached.

It is also possible that the newly minted 8.14.4 (not yet in the
archives) will fix this issue - some memory leaks were plugged, and
there was at least one fault issue (DNS related, iirc).

> Thanks!

Sorry this likely isn't much help :(

-- 
Rick Nelson
"Linux poses a real challenge for those with a taste for late-night
hacking (and/or conversations with God)."
(By Matt Welsh)




Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Thu, 04 Mar 2010 13:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marcus Schopen <marcus@localguru.de>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Thu, 04 Mar 2010 13:21:03 GMT) Full text and rfc822 format available.

Message #87 received at 527862@bugs.debian.org (full text, mbox):

From: Marcus Schopen <marcus@localguru.de>
To: 527862@bugs.debian.org
Cc: Jose-Marcio.Martins@mines-paristech.fr
Subject: segfault at a0 ip b7f5e9d0 sp b75a4360 error 4 in libmilter.so.1.0.1
Date: Thu, 04 Mar 2010 14:11:43 +0100
Hi Richard,

I got a segfault on lenny on a mailserver with very low load most of the
time:

Mar  3 23:49:44 dexter kernel: [424651.465798] mimedefang[2857]:
segfault at a0 ip b7f5e9d0 sp b75a4360 error 4 in
libmilter.so.1.0.1[b7f54000+d000]

ii  libc6 	                      2.7-18lenny2
ii  libmilter1.0.1                    8.14.3-5+lenny
ii  mimedefang                        2.64-6
ii  sendmail                          8.14.3-5+lenny1
ii  sendmail-base                     8.14.3-5+lenny1
ii  sendmail-bin                      8.14.3-5+lenny1
ii  sendmail-cf                       8.14.3-5+lenny1

Will Jose's patch come into the package?

Ciao,
Marcus

-- 
"If good things lasted forever, would we appreciate how precious they
are?" -Hobbes





Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Thu, 22 Jul 2010 17:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Miguel A. Novo" <mnovo@isis.es>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Thu, 22 Jul 2010 17:57:06 GMT) Full text and rfc822 format available.

Message #92 received at 527862@bugs.debian.org (full text, mbox):

From: "Miguel A. Novo" <mnovo@isis.es>
To: 527862@bugs.debian.org
Subject: Random segfault
Date: Thu, 22 Jul 2010 19:42:23 +0200
[Message part 1 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-release@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Sat, 18 Sep 2010 20:54:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Harald Jenny <harald@a-little-linux-box.at>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>. (Sat, 18 Sep 2010 20:54:16 GMT) Full text and rfc822 format available.

Message #97 received at 527862@bugs.debian.org (full text, mbox):

From: Harald Jenny <harald@a-little-linux-box.at>
To: Debian Bug Tracking System <527862@bugs.debian.org>
Subject: libmilter1.0.1: amavisd-milter also affected by libmilter segfault
Date: Sat, 18 Sep 2010 22:50:35 +0200
Package: libmilter1.0.1
Version: 8.14.3-9.2
Severity: grave


As this bug renders almost every milter-dependable software at least impaired
(if not unusable) the severity of this bug should be considered grave (making
the package unfit for release). If the maintainer is not able or willing to
solve the problem (presumably by packaging the new upstream version) I would
opt for an NMU.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.35-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages libmilter1.0.1 depends on:
ii  libc6                         2.11.2-5   Embedded GNU C Library: Shared lib

libmilter1.0.1 recommends no packages.

libmilter1.0.1 suggests no packages.




Reply sent to Richard A Nelson (Rick) <cowboy@debian.org>:
You have taken responsibility. (Mon, 01 Nov 2010 23:33:13 GMT) Full text and rfc822 format available.

Notification sent to Javier Kohan <jktmp01@gmail.com>:
Bug acknowledged by developer. (Mon, 01 Nov 2010 23:33:13 GMT) Full text and rfc822 format available.

Message #102 received at 527862-close@bugs.debian.org (full text, mbox):

From: Richard A Nelson (Rick) <cowboy@debian.org>
To: 527862-close@bugs.debian.org
Subject: Bug#527862: fixed in sendmail 8.14.4-1
Date: Mon, 01 Nov 2010 23:32:28 +0000
Source: sendmail
Source-Version: 8.14.4-1

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive:

libmilter-dev_8.14.4-1_amd64.deb
  to main/s/sendmail/libmilter-dev_8.14.4-1_amd64.deb
libmilter1.0.1-dbg_8.14.4-1_amd64.deb
  to main/s/sendmail/libmilter1.0.1-dbg_8.14.4-1_amd64.deb
libmilter1.0.1_8.14.4-1_amd64.deb
  to main/s/sendmail/libmilter1.0.1_8.14.4-1_amd64.deb
rmail_8.14.4-1_amd64.deb
  to main/s/sendmail/rmail_8.14.4-1_amd64.deb
sendmail-base_8.14.4-1_all.deb
  to main/s/sendmail/sendmail-base_8.14.4-1_all.deb
sendmail-bin_8.14.4-1_amd64.deb
  to main/s/sendmail/sendmail-bin_8.14.4-1_amd64.deb
sendmail-cf_8.14.4-1_all.deb
  to main/s/sendmail/sendmail-cf_8.14.4-1_all.deb
sendmail-doc_8.14.4-1_all.deb
  to main/s/sendmail/sendmail-doc_8.14.4-1_all.deb
sendmail_8.14.4-1.diff.gz
  to main/s/sendmail/sendmail_8.14.4-1.diff.gz
sendmail_8.14.4-1.dsc
  to main/s/sendmail/sendmail_8.14.4-1.dsc
sendmail_8.14.4-1_all.deb
  to main/s/sendmail/sendmail_8.14.4-1_all.deb
sendmail_8.14.4.orig.tar.gz
  to main/s/sendmail/sendmail_8.14.4.orig.tar.gz
sensible-mda_8.14.4-1_amd64.deb
  to main/s/sendmail/sensible-mda_8.14.4-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 527862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Richard A Nelson (Rick) <cowboy@debian.org> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 11 Sep 2010 17:53:00 -0000
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all amd64
Version: 8.14.4-1
Distribution: unstable
Urgency: high
Maintainer: Richard A Nelson (Rick) <cowboy@debian.org>
Changed-By: Richard A Nelson (Rick) <cowboy@debian.org>
Description: 
 libmilter-dev - Sendmail Mail Filter API (Milter)
 libmilter1.0.1 - Sendmail Mail Filter API (Milter)
 libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter)
 rmail      - MTA->UUCP remote mail handler
 sendmail   - powerful, efficient, and scalable Mail Transport Agent
 sendmail-base - powerful, efficient, and scalable Mail Transport Agent
 sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
 sendmail-cf - powerful, efficient, and scalable Mail Transport Agent
 sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
 sensible-mda - Mail Delivery Agent wrapper
Closes: 510679 513298 527862 542739 553135 583108 589810 597779
Changes: 
 sendmail (8.14.4-1) unstable; urgency=high
 .
   * Long past due
 .
   * Re-enable libdb-dev, db4.8 working again
 .
   * New upstream
     + Null checking in certificate CN (CVE-2009-4565)
     + Queue identifier int overflow
     + Handle malformed DNS replies
     + milter segfault/Dos fixes
 .
   * Acknowledge NMUs - thanks !
     + rmail conflicts with masqmail
     + move dhcp hooks from /etc/dhcp3 to /etc/dhcp
     + CVE-2009-4565
 .
   * Correct issues with NMUs
     + Differing buildinfo.gz (all the same file) Closes: #597779
 .
   * Outstanding bugs:
     + Milter segfaults/Remote DoS?    Closes: #527862
     + invoke.rc conditional           Closes: #553135
     + We already harden               Closes: #542739
     + Queue aging                     Closes: #583108
     + mail.local use of lockf         Closes: #513298
     + init.d use of ps                Closes: #510679
     + remove access on purge          Closes: #589810
Checksums-Sha1: 
 72b66cfc7751c584fc25624a44ee56d16219ecf6 1483 sendmail_8.14.4-1.dsc
 401096475f2e89f68ca5edc1456eb13269f950ad 2072180 sendmail_8.14.4.orig.tar.gz
 162048537facebca6336e7f9bdba421aea35bd38 501535 sendmail_8.14.4-1.diff.gz
 cd2b97f035aa6c9c22b7ed394259a1dde3ea993a 842142 sendmail-doc_8.14.4-1_all.deb
 8e44ac0e0bb2504818660d7ece8b5fffe8912f74 211126 sendmail_8.14.4-1_all.deb
 4236659f2f6775591a5a7da84e22b5940b164fdd 363566 sendmail-base_8.14.4-1_all.deb
 d2a9b71b05fa0b195905307f05cec404b2e84b47 300032 sendmail-cf_8.14.4-1_all.deb
 5e57bc4baaa535c712aad7c2c41eb9027d4caac6 982296 sendmail-bin_8.14.4-1_amd64.deb
 57a0e16604409e1c84abfac255208025b1f1688c 248928 rmail_8.14.4-1_amd64.deb
 77920182eccd4c73bb89d66f53ea237c1828aaf5 217100 sensible-mda_8.14.4-1_amd64.deb
 41363948ff5acddbd1777cfec245b87974676aaf 240034 libmilter1.0.1_8.14.4-1_amd64.deb
 be1d87f53bbde5f0d393cfd2e38949ea2f767e9a 256832 libmilter1.0.1-dbg_8.14.4-1_amd64.deb
 8fff7077e31436c06f90a9509dbc8c87d2a986ee 332064 libmilter-dev_8.14.4-1_amd64.deb
Checksums-Sha256: 
 9bfe3990e1e732c0fac74027e144f30b3115581e8427d5e7de55e162f94105a8 1483 sendmail_8.14.4-1.dsc
 40246cd35e99c40f22f4e88d328ff0084ef925257f2b0708a62ee6588725c7a3 2072180 sendmail_8.14.4.orig.tar.gz
 9c287b1081dbc005f52c0bcd7738d912aa30457da6c5ffc89e9c34820527b141 501535 sendmail_8.14.4-1.diff.gz
 c3c570f33872b39b3072125ace562865453a50924b56fae7419f839bcae0ed8b 842142 sendmail-doc_8.14.4-1_all.deb
 4e9867250f37068e4e7c3f21b224cc687a1836d3acc764acca399d78ce8a5469 211126 sendmail_8.14.4-1_all.deb
 0c13a31b094b608fc7301a3a2243127aac0881c1bc7f35c285d6b264518b469e 363566 sendmail-base_8.14.4-1_all.deb
 d555a263b095ced7d463c5b3f94e8e639e42989500f7cf409d610f74db3cf968 300032 sendmail-cf_8.14.4-1_all.deb
 b0faadccf20b4e26d9ed43be5f72dab660568e595025329d7678f157240f0a92 982296 sendmail-bin_8.14.4-1_amd64.deb
 e54a1936ace1f970a863f057224add27d9cad416df03fc354ac80ec82fbbb69c 248928 rmail_8.14.4-1_amd64.deb
 350afddfdaaa05f046ef3121ef366d0ee5ae877bc0a457a048645246dd403f94 217100 sensible-mda_8.14.4-1_amd64.deb
 067d9d2f6858a952a97ead29e99da4c9faae501a3c02582baca694b9067df18a 240034 libmilter1.0.1_8.14.4-1_amd64.deb
 977d0f2fd7d3fdaf947253ad907451bc17a94b9108cd339b08ce292c558db852 256832 libmilter1.0.1-dbg_8.14.4-1_amd64.deb
 4c068e89c86f4affe6e83d693423731334152c829cd0f8952f14abaf4d049ea4 332064 libmilter-dev_8.14.4-1_amd64.deb
Files: 
 d142cc7777e52de06398530aaf2b36ea 1483 mail extra sendmail_8.14.4-1.dsc
 55701f352bb8285e4de14ad6f3d48e35 2072180 mail extra sendmail_8.14.4.orig.tar.gz
 a70712b3fac4deb231f31d0acf0c39b3 501535 mail extra sendmail_8.14.4-1.diff.gz
 3dbf311dcbba36e687e565cd1233521d 842142 doc extra sendmail-doc_8.14.4-1_all.deb
 a24ad0987d36425e5a0f165588b99cc1 211126 mail extra sendmail_8.14.4-1_all.deb
 d296c83855ca90dce3ea2d1240dc267e 363566 mail extra sendmail-base_8.14.4-1_all.deb
 83f671b260408a795a2efc3343012f82 300032 mail extra sendmail-cf_8.14.4-1_all.deb
 7a12d34c9ab61bf90cf767323e3d476b 982296 mail extra sendmail-bin_8.14.4-1_amd64.deb
 19795ca980591df412bef501d753718e 248928 mail extra rmail_8.14.4-1_amd64.deb
 f7c52f39046ad023240cdc5556df65eb 217100 mail extra sensible-mda_8.14.4-1_amd64.deb
 6b9c5eb34f38a1c2c9a27d29d7ec2ec1 240034 libs extra libmilter1.0.1_8.14.4-1_amd64.deb
 84d5940660fb2b92579cae9e3ce04057 256832 libs extra libmilter1.0.1-dbg_8.14.4-1_amd64.deb
 5e66b7bd084f1f962864bd99642c722a 332064 libdevel extra libmilter-dev_8.14.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAky6ATMACgkQAVQn46S0dnbT5wCcCdxtFPW7x/4xG1UQlVJXsS++
Gb4Anjdmtd9pByLwF4iisillWq+cmQ2O
=z8gV
-----END PGP SIGNATURE-----





Changed Bug submitter to 'Harald Jenny <harald@a-little-linux-box.at>' from 'Javier Kohan <jktmp01@gmail.com>' Request was from Harald Jenny <harald@a-little-linux-box.at> to control@bugs.debian.org. (Wed, 24 Nov 2010 21:57:08 GMT) Full text and rfc822 format available.

Bug No longer marked as fixed in versions sendmail/8.14.4-1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 24 Nov 2010 21:57:09 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'important' Request was from Harald Jenny <harald@a-little-linux-box.at> to control@bugs.debian.org. (Wed, 24 Nov 2010 21:57:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Richard A Nelson (Rick) <cowboy@debian.org>:
Bug#527862; Package libmilter1.0.1. (Sat, 11 Dec 2010 12:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard A Nelson (Rick) <cowboy@debian.org>. (Sat, 11 Dec 2010 12:15:03 GMT) Full text and rfc822 format available.

Message #113 received at 527862@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: Harald Jenny <harald@a-little-linux-box.at>
Cc: 527862@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: RC bug #527862: libmilter1.0.1: segfault in libmilter - using milter-greylist and mimedefang - both dies
Date: Sat, 11 Dec 2010 04:10:42 -0800
fixed 527862 8.14.4-1
severity 527862 important
close 527862
thanks

On Sat, 11 Dec 2010, Harald Jenny wrote:
> first my apologies for this mass mailing but as the problem described in the
> subject affects a dozen of programs (at least according to their Depends-field)
> I thought it would be beneficial to allow everybody to participate in this
> "conversation". The issue at hand is that a bug in the current version of
> libmilter which is available in Debian Squeeze (8.14.3-9.4) leads to sefaults
> of the affected programs when hit my milter requests. Affected packages are:

You've reopened the bug, which is an indication that the underlying
problem wasn't fixed at all. However, the patch has been applied, and
the issue fixed in unstable, and only an unblock or a t-p-u upload is
required to fix the issue. I have rectified this for you. You may want
to read up on BTS versioning if this is unfamiliar to you.

Secondly, this issue is not grave, as it doesn't make the package in
question useless or mostly so, nor does it expose user accounts. I
have return its severity to important; the release team and/or Richard
can of course make the issue RC.

Furthermore, it's not necessary to e-mail anyone else but the package
maintainer, the bug, and possibly debian-release if the package
maintainer doesn't respond.


Don Armstrong

-- 
Our days are precious, but we gladly see them going
If in their place we find a thing more precious growing
A rare, exotic plant, our gardener's heart delighting
A child whom we are teaching, a booklet we are writing
 -- Frederick Rükert _Wisdom of the Brahmans_ 
 [Hermann Hesse _Glass Bead Game_]

http://www.donarmstrong.com              http://rzlab.ucr.edu




Bug Marked as fixed in versions sendmail/8.14.4-1. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sat, 11 Dec 2010 12:15:07 GMT) Full text and rfc822 format available.

Severity set to 'important' from 'grave' Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sat, 11 Dec 2010 12:15:07 GMT) Full text and rfc822 format available.

Bug closed, send any further explanations to Harald Jenny <harald@a-little-linux-box.at> Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sat, 11 Dec 2010 12:15:08 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 09:29:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:21:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.