Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGUWgD8s3DtM6sG9Pj478H06G_evwPsF49pK5Cig0VUHY_mrQg@mail.gmail.com>
Date: Thu, 21 May 2020 12:56:23 +0300
From: Georgi Guninski <gguninski@...il.com>
To: oss-security@...ts.openwall.com
Subject: Short notes on qmail security guarantee

 From my blog:
https://j.ludost.net/blog/archives/2020/05/21/short_notes_on_qmail_security_guarantee/index.html

Short notes on qmail security guarantee

Disclaimer: written in hurry, could be wrong.

djb offers monetary bounty for verifiable qmail exploit,
called "qmail security guarantee" [1].

He hasn't awarded the bounty yet, despite several
vulnerabilities found by us in 2005 [2] and in 2020 [3]
Qualys discovered that at least one of the vulnerabilities
works in default qmail install.

Both of these vulnerabilities require more that 4GB memory.

djb's main argument is that nobody gives a lot of memory
to qmail-smtpd (and as djb might missed to all other
qmail- components).

We believe that the claim of memory limit is wrong for
the following reasons:

1. qmail's install documentation doesn't mention memory limits
2. Qualys claims that their exploit works on the default
install of all packages they have seen (and all package maintainers
have missed memory limits).
3. djb shouldn't assume that 4-8GB will be enough for the
normal functioning of qmail. In theory libc might require
more RAM in the future. Currently mobile phones have
32+GB RAM and there is clear trend in grow of RAM.
4. By common sense, distributing software with known vulnerabilities
is bad practice.
5. AFAIK djb teaches students about coding and security and he
better lead by example of good coding.

[1] https://cr.yp.to/qmail/guarantee.html
[2] http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
[3] https://www.openwall.com/lists/oss-security/2020/05/19/8

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.