lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <89fd8b1e05020818165388ce6e@mail.google.com>
Date: Tue, 8 Feb 2005 18:16:18 -0800
From: Heather Adkins <hadkins@...gle.com>
To: bugtraq@...urityfocus.com
Subject: Re: GMail / Google Groups ESMTP software b0f


> There is a very strong indication for this being a buffer overflow in a
> non-forking daemon, rather than a preemptive IDS strike. The threshold for
> the number of characters prompting an overflow; the delayed effect of an
> overflow; the fact it is affected only by the last EHLO; and the global
> unavailability of the service - all are a clear indication of a classic
> b0f related crash.

The actual nature of this flaw was a bug that resulted in memory
exhaustion.  What you uncovered was a DoS that didn't actually affect
the security of the system, only the availability.  We'd like to
stress that this didn't affect our users as the resulting behavior
merely delays email.  Since we fixed the bug quickly, this didn't
happen.

> I notified Google today. It is my understanding that they do not routinely
> communicate with researchers or the community on security problems in
> their code, so I am not coordinating a response in any way. The problem
> may or may not be fixed by now.

We do read external communications sent to us and are greatly
appreciative of any and all reports we receive.  As for communicating
with others I would hope that recent press articles would alleviate
the misconception that we do not work with others.  We even post to
our company blog (http://www.google.com/googleblog/) about various
incidents as necessary.  So I am sadly disappointed that you were
under the impression we wouldn't take action on your report.

Just so that everyone knows, we have an official external email address 
for reports of this kind: security@...gle.com

> PS. If that trivial flaw is representative of the quality of server-side
> code beyond some of Google services, I would worry - but take this opinion
> with a grain of salt.

Gmail is a Beta product and we are still working out the kinks!

-Heather


-- 
Heather Adkins <hadkins@...gle.com>
Google Security Team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ