Date: Thu, 21 May 2020 12:56:23 +0300 From: Georgi Guninski <gguninski@...il.com> To: oss-security@...ts.openwall.com Subject: Short notes on qmail security guarantee From my blog: https://j.ludost.net/blog/archives/2020/05/21/short_notes_on_qmail_security_guarantee/index.html Short notes on qmail security guarantee Disclaimer: written in hurry, could be wrong. djb offers monetary bounty for verifiable qmail exploit, called "qmail security guarantee" . He hasn't awarded the bounty yet, despite several vulnerabilities found by us in 2005  and in 2020  Qualys discovered that at least one of the vulnerabilities works in default qmail install. Both of these vulnerabilities require more that 4GB memory. djb's main argument is that nobody gives a lot of memory to qmail-smtpd (and as djb might missed to all other qmail- components). We believe that the claim of memory limit is wrong for the following reasons: 1. qmail's install documentation doesn't mention memory limits 2. Qualys claims that their exploit works on the default install of all packages they have seen (and all package maintainers have missed memory limits). 3. djb shouldn't assume that 4-8GB will be enough for the normal functioning of qmail. In theory libc might require more RAM in the future. Currently mobile phones have 32+GB RAM and there is clear trend in grow of RAM. 4. By common sense, distributing software with known vulnerabilities is bad practice. 5. AFAIK djb teaches students about coding and security and he better lead by example of good coding.  https://cr.yp.to/qmail/guarantee.html  http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html  https://www.openwall.com/lists/oss-security/2020/05/19/8
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.