Quoting Joey Hess <[EMAIL PROTECTED]>:
> Package: qmail-src
> Severity: important
> Tags: security
>
> Apparently qmail has some security bugs on 64 bit systems with large
> amounts (> 4 gb) of memory:
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1515
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1514
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1513
I looked into this a bit more, and there is no real security concern here. It
is possible to get qmail to crash from resource exhaustion, but you can do that
to just about anything. The "exploit" can only manage to -*potentially*-
overwrite a single byte. The chances of using this for arbitrary code
execution do not exist.
There is some heated discussion going on in the qmail lists (read as flamewars)
regarding this issue. Apparently, the person who reported this likes to pop up
every now and then screaming "the sky is falling" with some kind of arbitrary
"security advisory" that usually ends up being nothing. He's attacked qmail in
a similar fashion before discovering that on a 64-bit system, you can cause
qmail-smtpd to segfault by sending a 2GB header.
The whole problem revolves around the idea that on some platforms, an integer is
32-bit, while a memory pointer can be 64-bit. QMail was coded such that
integers and pointers are interchangable, thus leading to the potential benign
crashes.
In the qmail list, the general concensus seems to be that using ulimits prevents
the crash from happening in the first place. Luckily for me, I am using ulimits
in the init.d script for starting qmail. From the init.d script:
--snip--
# prevent denial-of-service attacks, with ulimit
ulimit -v 16384
--snip--
This limits the amount of memory that qmail-smtpd and tcpserver can use to 16MB.
This should be enough to stop any DoS attacks, or potential exploit attempts.
I've gone a step further, and included the ISO C patch as well, to add another
layer of protection. The only affects from the patch should be to mitigate any
exploit not prevented by the ulimits (which can be removed by the sysadmin).
The patch is included in -38 which will be uploaded today.
Thanks again for the heads up.
Cheers!
Jon
---------------------------------------------------------------
This mail sent through Click2E-Mail http://www.click2e-mail.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
