Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91726 - mail-mta/qmail Multiple remote integer overfowsl
Summary: mail-mta/qmail Multiple remote integer overfowsl
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.guninski.com/where_do_you_...
Whiteboard: C1? jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-06 12:28 UTC by Robert Paskowitz (RETIRED)
Modified: 2005-05-12 09:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Paskowitz (RETIRED) gentoo-dev 2005-05-06 12:28:32 UTC
Only affects 64 bit platforms with a load of memory.

Affects 1.0.2 and 1.0.3. 

No fixes yet.

http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
http://securityfocus.com/bid/13528
http://securityfocus.com/bid/13535
http://securityfocus.com/bid/13536
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-06 14:42:09 UTC
net-mail please advise.
Comment 2 Tuan Van (RETIRED) gentoo-dev 2005-05-06 14:47:42 UTC
mail-mta/qmail belongs to qmail-bugs herd.
Comment 3 SpanKY gentoo-dev 2005-05-06 14:53:58 UTC
the first one for sure has come up before and it's retarded ... see Bug 38304
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-06 15:03:47 UTC
Well the Athlon64 8400+ bit was also making me a bit suspicious to start out with.
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-06 15:06:18 UTC
They're starting to discuss it on the qmail mailing list. I'll watch what's going on.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-11 07:27:17 UTC
Micheal any news on this one?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-05-11 11:03:57 UTC
The discussion on it is here:
http://www.gossamer-threads.com/lists/qmail/users/124346

In short, you can DOS a machine with this (and trigger the OOM killer), but ONLY if it has more than 4gb of RAM, and you are running qmail with ulimits above 4gb. Our shipped defaults are 64mb for qmail-smtpd, and 8mb for everything else. Nobody should be running with limits over 512mb even.

You'd need a much beefier machine to do the attack in the first place.

I'm going to close it as WONTFIX, as it seems the only fix would be to totally re-write qmail, and we are not vulnerable because of our ulimits.
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-12 09:45:41 UTC
We just have to pay attention to the fact that it seems that ulimits don't work on Mac OS X. If qmail is ever going to (~)ppc-macos, they'll have to work on that.