| Summary: | mail-mta/qmail Multiple remote integer overfowsl | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Paskowitz (RETIRED) <r2d2> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | normal | CC: | osx, qmail-bugs+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html | ||
| Whiteboard: | C1? jaervosz | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Robert Paskowitz (RETIRED)
2005-05-06 12:28:32 UTC
net-mail please advise. mail-mta/qmail belongs to qmail-bugs herd. the first one for sure has come up before and it's retarded ... see Bug 38304 Well the Athlon64 8400+ bit was also making me a bit suspicious to start out with. They're starting to discuss it on the qmail mailing list. I'll watch what's going on. Micheal any news on this one? The discussion on it is here: http://www.gossamer-threads.com/lists/qmail/users/124346 In short, you can DOS a machine with this (and trigger the OOM killer), but ONLY if it has more than 4gb of RAM, and you are running qmail with ulimits above 4gb. Our shipped defaults are 64mb for qmail-smtpd, and 8mb for everything else. Nobody should be running with limits over 512mb even. You'd need a much beefier machine to do the attack in the first place. I'm going to close it as WONTFIX, as it seems the only fix would be to totally re-write qmail, and we are not vulnerable because of our ulimits. We just have to pay attention to the fact that it seems that ulimits don't work on Mac OS X. If qmail is ever going to (~)ppc-macos, they'll have to work on that. |
