WingNews logo WingNews
top | item 37229459

(no title)

hdmoore | 2 years ago

Erm, qmail had lots of bugs[1], when compiled for 64-bit processors (lots of integer overflows), but djb pushed back and said 64-bit wasn't supported. If anything, qmail is known as the most annoying MTA to package, since no modifications to the source are permitted, and the application has to be built using a massive patch tree instead. The quirky management daemons required to run qmail were also obnoxious and at odds with everything else on the system.

Salient quote below:

>In May 2005, Georgi Guninski published "64 bit qmail fun", three vulnerabilities in qmail (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515):

[snip]

>Surprisingly, we re-discovered these vulnerabilities during a recent qmail audit; they have never been fixed because, as stated by qmail's author Daniel J. Bernstein (in https://cr.yp.to/qmail/guarantee.html):

>>"This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail's assumption that allocated array lengths fit comfortably into 32 bits."

1. https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-...

edit: added quote from referenced url

discuss

order

tokamak-teapot|2 years ago

I used to install qmail fairly often on different Unix-like systems. I remember the installation instructions clearly setting out the limits that should be set on its processes, and I remember following them.

It sounds like the Debian packager didn’t follow the instructions. That doesn’t seem like the fault of the software.

rodgerd|2 years ago

> Erm, qmail had lots of bugs[1], when compiled for 64-bit processors (lots of integer overflows), but djb pushed back and said 64-bit wasn't supported.

qmail is a great demonstration that if you declare enough things out of scope, you can claim that the software is secure.

jiggawatts|2 years ago

Reminds me of the era when dual-core processors started becoming generally available. Suddenly the bugs in multi-threaded software were much more apparent.

Vendors replied to complaints with: “We don’t support those processors”.

No buddy, you don’t support stable software. It’s buggy even on a single core, it’s just less obvious.

stefan_|2 years ago

It's a very interesting phenomenon. There are lots of claims along the lines of "a single CPU is so fast it will exercise all kinds of multi-threading patterns very quickly" but in my experience it indeed takes multiple processors to reliably show up various races and faulty implicit orderings.

jeffbee|2 years ago

> quirky management daemons

setproctitle is enough logging for a mailer, said nobody ever.