Oi pessoal,

Acho que esse assunto meio off list mas mesmo assim vale dar uma lida no artigo publicado pela Securityfocus sobre uma "academic vulnerability" no qmail. Segundo o autor do artigo Dan Bernstein se recusou a pagar o premio em dinheiro oferecido no "qmail security guarantee" alegando que ninguem dria giga bytes de memoria para um nico processo qmail-smtpd e que ento isso no poderia ser considerado uma vulnerabilidade. Entretanto de acordo com a opinio de muitos o cdigo escrito por Bernstein ainda considerado quase perfeito.

Eu nunca diria que o qmail perfeito mas posso garantir que muito eficiente e com uns pequenos tweaks ele torna-se ainda mais eficiente.

Do artigo: A Role Model for Security. Almost.

Qmail isn't perfect

Georgi Guninski recently published a vulnerability in qmail (albeit not a practical one), which can be exploited on specific configurations of some 64-bit systems. That's right. Even qmail has bugs. This shouldn't be a surprise to anybody.


If you're familiar with qmail, you'll undoubtedly be aware of the qmail security guarantee, which offers a monetary reward to the first person to publish a "verifiable security hole in the latest version of qmail". Bernstein has publicly denied this reward to Guninski, with the statement that "Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail's assumption that allocated array lengths fit comfortably into 32 bits." This basically means that Bernstein doesn't consider this to be a security vulnerability.


Ultimately, when I look at the history of vulnerabilities in an application, issues like this one make me feel warm and fuzzy inside. When a talented vulnerability researcher such as Guninski publishes this issue, there's a good chance that he payed close attention to the rest of the code. If this is all that he was able to find, then lets patch it and take one more step towards perfection.

Mais em http://www.securityfocus.com/columnists/331


Freebsd mailing list

Responder a