Joerg Jaspert <jo...@debian.org> writes: > One more thing (I dont think its mentioned already) I got pointed at: > http://www.daemonology.net/papers/bsdcan06.pdf > Page 9 says: > · Bug discovered in qmail: If you can send a >2GB message to qmailsmtpd, > you can execute arbitrary code via an integer overflow. > Response from DJB: "Nobody gives gigabytes of memory to each > qmailsmtpd process". > When DJB wrote qmail (1995), this was probably correct.
I've always been annoyed by this very common summary of this problem (not your fault -- I know you're just quoting). It omits the key point that DJB was making in defense of qmail. If you install qmail following its installation instructions, qmailsmtpd does indeed not get gigabytes of memory *because the installation imposes a resource limit on the memory it can consume*. So indeed, qmail installed as documented is not vulnerable to this problem regardless of the size of physical memory on the system. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
