I built my QMT a couple of years ago on CentOS 7, and spot checking I see
that softlimits are already applied in the following supervise startup
scripts:

/var/qmail/supervise/smtp/run
/var/qmail/supervise/submission/run
/var/qmail/supervise/smtps/run

Additionally, I have a reasonable value in /var/qmail/control/databytes
(I'm 99% certain that QMT sets a value here by default.)

So, as far as I can tell, the RCE issues are already mitigated in
relatively recent QMT installs.

If I am reading the CVE correctly, all of the RCE vulnerabilities can be
mitigated by having a reasonable value in /var/qmail/control/databytes

Have you checked your deployed systems?

I need to dig into how qmail-local is being called, so I can figure out
whether it has softlimits yet, but I need to get my kids to school.  :)

-Chris

On Tue, May 26, 2020 at 6:07 AM Quinn Comendant <qu...@strangecode.com>
wrote:

> Hello all,
>
> I just came across this security bulletin that affects qmail:
>
> https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
>
> “TLDR: In 2005, three vulnerabilities were discovered in qmail but were
> never fixed because they were believed to be unexploitable in a default
> installation. We recently re-discovered these vulnerabilities and were
> able to exploit one of them remotely in a default installation.”
>
> If I understand correctly, it can be mitigated by:
>
> - using softlimit to restrict process memory limit, even on qmail-local
> - configure databytes to limit email message size.
>
> or by applying the patches included in the article linked above.
>
> Is this patch something that should be included in QMT?
>
> How to add soft limit to qmail-local?
>
> Quinn

Reply via email to