Bugtraq mailing list archives
Re: EMERGENCY: new remote root exploit in UW imapd
From: adam () HOMEPORT ORG (Adam Shostack)
Date: Thu, 23 Jul 1998 12:29:13 -0400
In conjunction with a client who performed regular code reviews, we attempted to look at the qmail source. (.89 or .91 or so). After I wrote up architectural and data flow documentation and diagrams, we found that we spent most of our time trying to follow some cleverly convoluted C. We were rarely sure when the code segments we were looking at were considered security critical. We were often unsure what the code we were looking at did, or was intended to do. Thus, instead of finding security bugs, we found an understanding of the code, which, unfortunately, is not releasable. Reviewing code for security is hard. Someone else pointed out that innd's controller had a problem, and it was designed to be small and easy to review. The firewall-toolkit had a bug in its encryption code under the comment 'Am too tired to think of a better way' that went unfound for four years. I use qmail, but look forward to alternatives with commented code being available. I'll be a lot more comfortable when I don't have to reverse engineer the spec, review the spec, and then ensure the code matches. Adam Kragen wrote: | On Wed, 22 Jul 1998, IBS / Andre Oppermann wrote: | > Kragen wrote: | > > qmail uses no standard C library functions, other than syscalls, if I | > > remember correctly. | > | > That is true, but he hasn't documented it very well, in fact you have | > to look through and follow the function to see what is really does. | | The first version of qmail I looked at had no documentation for the | stralloc stuff, so I wrote some | (<URL:http://www.pobox.com/~kragen/stralloc.html>) and published it. | More recent versions appear to have a man page for the stralloc | functions, obsoleting my web page. | | Kragen | -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: Bounds checking - historical aside, (continued)
- Re: Bounds checking - historical aside Brett Glass (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Alex Belits (Jul 20)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Allen Smith (Jul 20)
- Re: EMERGENCY: new remote root exploit in UW imapd Allanah Myles (Jul 20)
- Re: EMERGENCY: new remote root exploit in UW imapd Dave Andersen (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Jim Greene (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Peter Jeremy (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd IBS / Andre Oppermann (Jul 21)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd Adam Shostack (Jul 23)
- Security Bulletins Digest vtmue () HEAVEN RUF UNI-FREIBURG DE (Jul 23)
- Apache 1.3.1 Released! Aleph One (Jul 23)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd Alex Le Heux (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd der Mouse (Jul 28)
- Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
- Re: Object tag crashes Internet Explorer 4.0 Matt Rose (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd David Schwartz (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 29)
- Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 29)
(Thread continues...)