On Mon, Mar 18, 2002 at 12:20:00AM +0100, Michael Zimmermann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > At Sonntag, 17. M�rz 2002 23:20 Clifton Royston wrote: > > While there is definitely a bug, and an embarrassing one at that, I > > believe the DOS effect is OS-dependent, and have commented on this to > > the initial reporter, Dustin Childers. I'd be tempted to think the bug > > is dependent on the Linux kernel, except that he lists it as > > reproducible in Solaris 7 and FreeBSD 4.4. Apparently however he's not > > listing systems where it can not be reproduced? > > Hi Clifton, > > There is a difference between not beeing able to reproduce an error > and claiming it's non-existance. > > > I have been unable to reproduce the problem on BSD/OS 4.0.1 or 4.1, the > > systems where I'm already running qpopper - [...] > > I'm sorry, I don't have access to an BSD system > to verify or deny that conclusion of yours. > But there's no harm in patching the error, hmmm?
Potentially there is a *very* substantial risk of harm in patching with untrusted code. I don't think this patch is malicious or harmful, and after looking at it, I don't *think* its error creates a further exploitable vulnerability, though I could be wrong. But I'm now fairly sure it's not correct, and I am sure one could write a very similar and plausible looking little patch of a few lines that would open up a full-scale buffer-overrun root exploit vulnerability. > Patch is on http://www.digitux.net/qpopper.patch > > My POP server is secured regarding this error > - - I can sleep. > > Good night Pleasant dreams... ;-) -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED] WWJD? "JWRTFM!" - Scott Dorsey (kludge) "JWG" - Eddie Aikau
