On 2022-03-03 09:15:51, Stephen R. van den Berg wrote:
> On Wed, Mar 2, 2022 at 3:30 PM Antoine Beaupré <[email protected]> wrote:
>
>> Do you plan to pass a significant security audit over the procmail code
>> base and fuzz the binary?
>
> A binary fuzz is being planned, but if anyone has a ready setup which I can
> run, it would be much appreciated.
>
> A security audit I did, two years ago. I plan to do one again after the
> fuzz results.
> The critical paths are those until it drops setuid/setgid root status,
> which is reasonably contained.
Thanks, that seems like a good idea. Let us know how the fuzzing turns
out.
[...]
>> With my security researcher hat on, I am confident there are still
>> significant security issues in procmail, even with the fixes committed
>> to the git repository you have pointed out.
>>
>
> Well, from a purely statistical standpoint considering old software in
> general that hasn't been used since, I'd have to agree with you.
> Then again, with the same statistical view specific to procmail and friends
> (which undoubtedly have seen a declining use over the years, then again, it
> has been installed on more systems, so that might have slowed the decline),
> I see the following (from a security standpoint) over a period of 16 years:
[...]
One problem with those statistics is that they ignore the fact that
procmail has been basically declared un maintained for most of that
time. There is the distinct possibility that there hasn't been much
attention to this program from the security community because it was
thought that no one was still using it, because it was
unmaintained.
Turns out at least one of those affirmations were incorrect, and I guess
we'll see what the next ten years will bring.
[...]
>> So while it's interesting that you are making procmail active again,
>> maybe we could be careful about including it in the next Debian release?
>> Let's see if it can be brought back to shape and deal with the modern
>> threats email servers are currently faced with.
>>
>
> The way procmail was designed from a security/threat standpoint is not
> different from the threats that modern email servers face now. If you we
> still fail any fuzz-tests, I'd agree with you, but if fuzz tests prove it
> to be robust, I'd say that given the other arguments, it can be declared
> safe and compliant.
I agree with that.
--
Celui qui sait jouir du peu qu'il a est toujours assez riche.
- Démocrite
