Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd)

[kbo () INTER7 COM (iv0)]

I recommend upgrading to the latest version of vpopmail which fixes
the exploit. Pick up the current stable version:

http://www.inter7.com/vpopmail/

vchkpw - which authenticates a user with information from qmail-pop
up was storing the information in a staticly defined buffer. There
was no buffer over run checking done. Current stable version now
checks for buffer overruns in several places. A security
audit of the code is being done. Which it sorely needs.

Ken Jones
http://www.inter7.com/

Adam McKenna wrote:
> In that case, what would you recommend?
>
> --Adam
>
> On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote:
> >  > 5. Recommendation
> >  >
> >  > Impose the 40 character limitation specified by RFC1939 into qmail.
> >  > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
> >
> > I don't recommend applying that patch.  Every line of it is wrong.  It
> > makes qmail-popup less secure, by inserting a call to syslog(), which
> > is a security disaster. It also sucks in the string library, which
> > includes the well-known security hole sprintf().
> >
> > --
> > -russ nelson <sig () russnelson com>  http://russnelson.com
> > Crynwr sells support for free software  | PGPok | "Ask not what your country
> > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
> > Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.