"Of course, ``security hole in qmail'' does not include problems outside of qmail: for example, NFS security problems, TCP/IP security problems, DNS security problems, bugs in scripts run from .forward files, and operating system bugs generally. It's silly to blame a problem on qmail if the system was already vulnerable before qmail was installed!"
But, I think he can take great satisfaction in thinking of a potential hole that even djb didn't consider. That's pretty impressive (though less impressive since everybody was sitting around trying to think of places where a shell might be invoked in non-obvious ways...I spent half an hour talking to my co-founder and employee during our regular meeting trying to think of ways our users could be effected outside of the already discussed ways, and we spent quite a bit of time testing various theories; one of the vectors we discussed was procmail being called by Postfix).
Edit: And, just in case anyone was wondering, Wietse seems to have considered the environment variable problem, and took measures to prevent exploits in Postfix, so it does not seem to be exploitable by Shellshock, even when calling out to procmail.
In fact, it's explicitly listed in the man page for qmail-command:
ENVIRONMENT VARIABLES
qmail-local supplies several useful environment variables to
command. WARNING: These environment variables are not
quoted. They may contain special characters. They are
under the control of a possibly malicious remote user.
edit: which is to say, yes, djb thought of it a long time ago.
SwellJoe|11 years ago
"Of course, ``security hole in qmail'' does not include problems outside of qmail: for example, NFS security problems, TCP/IP security problems, DNS security problems, bugs in scripts run from .forward files, and operating system bugs generally. It's silly to blame a problem on qmail if the system was already vulnerable before qmail was installed!"
But, I think he can take great satisfaction in thinking of a potential hole that even djb didn't consider. That's pretty impressive (though less impressive since everybody was sitting around trying to think of places where a shell might be invoked in non-obvious ways...I spent half an hour talking to my co-founder and employee during our regular meeting trying to think of ways our users could be effected outside of the already discussed ways, and we spent quite a bit of time testing various theories; one of the vectors we discussed was procmail being called by Postfix).
Edit: And, just in case anyone was wondering, Wietse seems to have considered the environment variable problem, and took measures to prevent exploits in Postfix, so it does not seem to be exploitable by Shellshock, even when calling out to procmail.
drinchev|11 years ago
0x0|11 years ago
tptacek|11 years ago
arghnoname|11 years ago
dsr_|11 years ago
ENVIRONMENT VARIABLES qmail-local supplies several useful environment variables to command. WARNING: These environment variables are not quoted. They may contain special characters. They are under the control of a possibly malicious remote user.
edit: which is to say, yes, djb thought of it a long time ago.