Serafino Sorrenti <ml@ssorrenti.com> writes: > http://www.guninski.com/qmailcrash.html > > > Georgi Guninski security advisory #65, 2004 > > Lame crash in qmail-smtpd and memory overwrite according to gdb, yet > still qmail much better than windows > > Systems affected: > qmail 1.03 on linux, don't know about other OSes. > > > Risk: Unknown. maybe so, maybe no. > Date: 15 January 2004 We've had extensive discussion about this on the qmail list, and it seems quite likely that this is not an exploitable bug. The bug is a signed integer wrapping from positive to negative and being used as an array subscript. Immediately after it wraps, qmail-smtpd references a memory address which is way out-of-bounds and triggers SIGSEGV. There doesn't appear to be a way to cause a different subscript to be used which would allow any real memory locations to be overwritten. The apparent memory overwrite seems to be an artifact of a gdb bug, and not a memory overwrite at all. Only some people (not including me) have been able to reproduce it, and nobody's been able to make qmail actually execute anything fishy. It sounds quite similar to the gdb bug reported in Debian bug 154154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=154154 There are a number of very simple unofficial patches available. The fix is included with a few others in a patch by James Craig Burley, which I've personally tested. It's available at: http://www.jcb-sc.com/qmail/patches/qmail-isoc.patch More information and discussion are available in the recent qmail list archives: http://www.ornl.gov/lists/mailing-lists/qmail/2004/01/maillist.html ------ScottG.
