On Sun, Mar 17, 2002 at 09:18:40PM +0100, Michael Zimmermann wrote: > As it's now allready on the air, you all may want to have a look at > Dustin Childers info about the bug (including a patch) > > http://www.digitux.net/security/advisories.html?id=34&display=info > > My advice is it, to update NOW. The error gives an all too easy DOS. > > Ahem, and of course SuSE is also vulnerable, if qpopper is used. > I reproduced the error on a SuSE 7.3 with qpopper 4.0.3. > Don't know about the older versions, but as I see it, the error is a classical > program-bug and therefore independant on the OS used (but perhaps > very old qpopper versions may not be affected - check your source).
While there is definitely a bug, and an embarrassing one at that, I believe the DOS effect is OS-dependent, and have commented on this to the initial reporter, Dustin Childers. I'd be tempted to think the bug is dependent on the Linux kernel, except that he lists it as reproducible in Solaris 7 and FreeBSD 4.4. Apparently however he's not listing systems where it can not be reproduced? I have been unable to reproduce the problem on BSD/OS 4.0.1 or 4.1, the systems where I'm already running qpopper - yes, there's an error, and the process fails to time out and forcibly close the connection, but it is taking 0.0% CPU and goes away immediately when the socket to the client goes away. There's no visible impact on system performance. It sounds like some of the qpopper developers are still trying to reproduce the DOS effect on other operating systems. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED] WWJD? "JWRTFM!" - Scott Dorsey (kludge) "JWG" - Eddie Aikau
