Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian

To: 510415@bugs.debian.org
Subject: Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
From: Russ Allbery <rra@debian.org>
Date: Sun, 11 Jan 2009 15:39:01 -0800
Message-id: <[🔎] 87tz851kh6.fsf@windlord.stanford.edu>
Mail-followup-to: debian-ctte@lists.debian.org
Reply-to: Russ Allbery <rra@debian.org>, 510415@bugs.debian.org
In-reply-to: <[🔎] 87wsd11m54.fsf@vorlon.ganneff.de> (Joerg Jaspert's message of "Mon\, 12 Jan 2009 00\:03\:03 +0100")
References: <[🔎] 87y6xvx9db.fsf@vorlon.ganneff.de> <[🔎] 20090109235223.GD23677@dario.dodds.net> <[🔎] 873afqkt09.fsf@inara.kivimaa.fi> <[🔎] 874p05o53n.fsf@mid.deneb.enyo.de> <[🔎] 87wsd11m54.fsf@vorlon.ganneff.de>

Joerg Jaspert <joerg@debian.org> writes:

> One more thing (I dont think its mentioned already) I got pointed at:
> http://www.daemonology.net/papers/bsdcan06.pdf
> Page 9 says:
> · Bug discovered in qmail: If you can send a >2GB message to qmailsmtpd,
>   you can execute arbitrary code via an integer overflow.
>     Response from DJB: "Nobody gives gigabytes of memory to each
>      qmailsmtpd process".
>     When DJB wrote qmail (1995), this was probably correct.

I've always been annoyed by this very common summary of this problem (not
your fault -- I know you're just quoting).  It omits the key point that
DJB was making in defense of qmail.  If you install qmail following its
installation instructions, qmailsmtpd does indeed not get gigabytes of
memory *because the installation imposes a resource limit on the memory it
can consume*.  So indeed, qmail installed as documented is not vulnerable
to this problem regardless of the size of physical memory on the system.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
  - From: Steve Langasek <vorlon@debian.org>
- Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
  - From: Kalle Kivimaa <killer@debian.org>
- Re: Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
  - From: Joerg Jaspert <joerg@debian.org>

Prev by Date: Re: Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
Next by Date: Re: Confirmation vote for Russ Allbery
Previous by thread: Re: Bug#510415: tech-ctte: Qmail inclusion (or not) in Debian
Next by thread: Re: Technical committee workflow
Index(es):
- Date
- Thread