Russell Nelson wrote:
>
> Markus Wuebben writes:
> > Is this known?
> > A complete description of the problem can be found
> > at http://www.inter7.com/vpopmail/exploit.html
>
> Yes, it's known. The patch is still given using strlen(), though,
> which drags in the C library and makes qmail-pop3d gratuitiously
> bigger.
The proposed patch was not used to fix the exploit. A regular
bounds based read was used. However, good point about the strlen
usage in the package. All the str functions have been removed
from the 3.4.12 development verson. I'm not sure how using
string functions in the authentication program would effect
the size of qmail-pop3d.
Ken Jones
www.inter7.com
