lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 May 2020 17:23:27 +0300
From: Georgi Guninski <gguninski@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Short notes on qmail security guarantee

 From my blog:
https://j.ludost.net/blog/archives/2020/05/21/short_notes_on_qmail_security_guarantee/index.html

Short notes on qmail security guarantee

Disclaimer: written in hurry, could be wrong.

djb offers monetary bounty for verifiable qmail exploit,
called "qmail security guarantee" [1].

He hasn't awarded the bounty yet, despite several
vulnerabilities found by us in 2005 [2] and in 2020 [3]
Qualys discovered that at least one of the vulnerabilities
works in default qmail install.

Both of these vulnerabilities require more that 4GB memory.

djb's main argument is that nobody gives a lot of memory
to qmail-smtpd (and as djb might missed to all other
qmail- components).

We believe that the claim of memory limit is wrong for
the following reasons:

1. qmail's install documentation doesn't mention memory limits
2. Qualys claims that their exploit works on the default
install of all packages they have seen (and all package maintainers
have missed memory limits).
3. djb shouldn't assume that 4-8GB will be enough for the
normal functioning of qmail. In theory libc might require
more RAM in the future. Currently mobile phones have
32+GB RAM and there is clear trend in grow of RAM.
4. By common sense, distributing software with known vulnerabilities
is bad practice.
5. AFAIK djb teaches students about coding and security and he
better lead by example of good coding.

[1] https://cr.yp.to/qmail/guarantee.html
[2] http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
[3] https://www.openwall.com/lists/oss-security/2020/05/19/8

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists