Description: When sending a string that has 2048+ characters in it, the in.qpopper or popper process will begin to use massive amounts of CPU and will not stop until it is manually killed. Versions Affected: I tested this on 4.0.1 and 4.0.3. 4.0.2 is probably vulnerable also. Older versions may also be vulnerable. I haven't tested those. This works locally and remotely. Patch Information: I attempted to patch this but I was not successful. I found that the most reasonable place for this would be the msg_buf in popper/main.c or msg_buf in password/poppassd.c. Dustin E. Childers Security Administrator http://www.digitux.net/
