Fluid Attacks Database

Description

The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	sendmail	>=0 <8.12.9-1	8.12.9-1
debian 13	sendmail	>=0 <8.12.9-1	8.12.9-1
debian 14	sendmail	>=0 <8.12.9-1	8.12.9-1
debian 12	sendmail	>=0 <8.12.9-1	8.12.9-1

Aliases

1. CVE-2003-01612. NVD-2003-01613. OSV-DEBIAN-2003-01614. OSV-2003-01615. SECURITY-TRACKER-CVE-2003-0161

References

1. https://www.exploit-db.com/exploits/242. https://www.exploit-db.com/exploits/22442

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.