Re: EMERGENCY: new remote root exploit in UW imapd

[adam () HOMEPORT ORG (Adam Shostack)]

        In conjunction with a client who performed regular code
reviews, we attempted to look at the qmail source.  (.89 or .91 or
so).  After I wrote up architectural and data flow documentation and
diagrams, we found that we spent most of our time trying to follow
some cleverly convoluted C.

        We were rarely sure when the code segments we were looking at
were considered security critical.  We were often unsure what the code
we were looking at did, or was intended to do.  Thus, instead of
finding security bugs, we found an understanding of the code, which,
unfortunately, is not releasable.

        Reviewing code for security is hard.  Someone else pointed out
that innd's controller had a problem, and it was designed to be small
and easy to review.  The firewall-toolkit had a bug in its encryption
code under the comment 'Am too tired to think of a better way' that
went unfound for four years.

        I use qmail, but look forward to alternatives with commented
code being available.  I'll be a lot more comfortable when I don't
have to reverse engineer the spec, review the spec, and then ensure
the code matches.

Adam


Kragen wrote:
| On Wed, 22 Jul 1998, IBS / Andre Oppermann wrote:
| > Kragen wrote:
| > > qmail uses no standard C library functions, other than syscalls, if I
| > > remember correctly.
| >
| > That is true, but he hasn't documented it very well, in fact you have
| > to look through and follow the function to see what is really does.
|
| The first version of qmail I looked at had no documentation for the
| stralloc stuff, so I wrote some
| (<URL:http://www.pobox.com/~kragen/stralloc.html>) and published it.
| More recent versions appear to have a man page for the stralloc
| functions, obsoleting my web page.
|
| Kragen
|


--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume