Note: This is an archival copy of Security Sun Alert 200720 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000570.1.
Article ID : 1000570.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-05-31
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Buffer Overflow in sendmail(1M) Ruleset Parsing May Result in Unauthorized Privileges


Release Phase

Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id

Date of Resolved Release


There is a potential buffer overflow in sendmail(1M) involving the parsing of rulesets which affects sendmail(1M) versions earlier than 8.12.10. This could result in a local or remote unprivileged user gaining unauthorized root privileges.

Note: This issue does not affect the default configuration of sendmail(1M).

This issue is referenced in CERT Vulnerability Note VU#108964 which can be seen at and CAN-2003-0681 at

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 107684-11
  • Solaris 8 without patch 110615-11
  • Solaris 9 without sendmail(1M) upgrade 8.12.10 (as delivered in patch 113575-05)

x86 Platform

  • Solaris 7 without patch 107685-11
  • Solaris 8 without patch 110616-11
  • Solaris 9 without sendmail(1M) upgrade 8.12.10 (as delivered in patch 114137-04)

Note: Only systems using the following non-standard rulesets are at risk: recipient (2), final (4), or mailer-specific envelope recipients rulesets.

To determine which version of sendmail(1M) is running on a system, run the following command:

    $ /usr/bin/mconnect
connecting to host localhost (, port 25
connection open
220 ESMTP Sendmail 8.9.3+Sun/8.9.3; Tue, 6 Apr 2004 14:46:17
+0100 (BST)
214-This is Sendmail version 8.9.3+Sun
214-    HELO    EHLO    MAIL    RCPT    DATA
214-    RSET    NOOP    QUIT    HELP    VRFY
214-    EXPN    VERB    ETRN    DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation contact Sun Microsystems
214-Technical Support.
214-For local information send email to Postmaster at your site.
214 End of HELP info
221 closing connection

To determine whether a system is configured with the vulnerable rulesets, view the "/etc/mail/" file and the "*.mc" configuration files. The latter are normally located in "/usr/lib/mail/cf/" on Solaris, but this may vary depending on how sendmail(1M) has been set up on a system.

The following indicates that sendmail(1M) has been configured with these rulesets:

  • Either the "*.mc" file contains:


  • "/etc/mail/" contains a line beginning:
    Srecipient=2 (version 8.10 or later) or S2 (version 8.9 and earlier)
  • "etc/mail/" or the *.mc file contain:
    $>2 or $>recipient
  • "etc/mail/" or the *.mc file contain:
    $>4 or $>final


There are no reliable symptoms that would indicate the described issue has been exploited.


If the system has been configured as detailed in "Contributing Factors", the affected lines in the "*.mc" configuration file may be modified. Comment out the affected lines in this file by inserting "dnl" at the beginning of the affected line. For example:

    dnl <rest of line goes here>

Then generate the new "" file from this revised "*.mc" file and copy this to "/etc/mail/". Please refer to "/usr/lib/mail/README" for additional information on how to use the "*.mc" files.

Once the files have been modified, restart sendmail(1M) with the following commands:

    # /etc/init.d/sendmail stop
# /etc/init.d/sendmail start

For more detailed information please see the sendmail(1M) man pages or


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 107684-11 or later
  • Solaris 8 with patch 110615-11 or later
  • Solaris 9 with sendmail(1M) upgrade 8.12.10 (as delivered in patch 113575-05 or later)

x86 Platform

  • Solaris 7 with patch 107685-11 or later
  • Solaris 8 with patch 110616-11 or later
  • Solaris 9 with sendmail(1M) upgrade 8.12.10 (as delivered in patch 114137-04 or later)

Modification History



This solution has no attachment