procmail (in)security
Todd Underwood
todd-bogofilter at osogrande.com
Fri Mar 7 19:29:00 CET 2003
herman, all,
On Fri, 7 Mar 2003, Herman Oosthuysen wrote:
> Hmm, procmail has been around for a very long time. I don't think there
> is much reason to worry about it. Speaking of the last 3 years, it has
> never crashed or lost my mail.
from cve.mitre.org:
CVE-1999-0439 Buffer overflow in procmail before version 3.12 allows
remote or local attackers to execute commands via expansions in the
procmailrc configuration file.
CVE-1999-0475 A race condition in how procmail handles .procmailrc files
allows a local user to read arbitrary files available to the user who is
running procmail.
CVE-2001-0905 Race condition in signal handling of procmail 3.20 and
earlier, when running setuid, allows local users to cause a denial of
service or gain root privileges by sending a signal while a signal
handling routine is already running.
at least CVE-2001-0905 is a serious security problem and it's within the
last three years.
look, different people have different security thresholds. some people
are ok with "mostly good enough most of the time". that's procmail. some
people (and i'm one of them) like the fact that a mail server we installed
in 1998 has run uninterrupted since then with no code base changes and no
security holes. it gives us time to post to mailing lists like this.
basically, if you think running sendmail and bind makes sense, you should
have no problems with procmail. if that's not good enough for you, chance
are that procmail isn't either.
to each her own.
t.
--
todd underwood, sr. vp & cto
oso grande technologies, inc.
todd at osogrande.com
"The people never give up their liberties but under some delusion."
--Edmund Burke, Speech at County Meeting of Bucks, 1784.
More information about the Bogofilter
mailing list