procmail (in)security

Todd Underwood todd-bogofilter at osogrande.com
Mon Mar 10 04:00:14 CET 2003 

folx,  

i promise this will be brief and i'll stop after this...

On Mon, 10 Mar 2003, Matthias Andree wrote:

> Todd, what is the problem with Dan's adding a line "you must use
> softlimit or similar tools to enforce memory limits"?

there's no problem.  it doesn't make it a security bug not to mention it, 
either. 

> > this one is actually an interesting condition.  race with super 
> > high-volume mail delivery and super high-volume mail checking (it requires 
> > a PID recycle or two), but it is theoretically possible.
> 
> At higher rate with operating systems that randomize PIDs from a narrow
> PID space, say OpenBSD.

yes.

> Yay, that infamous defamation file. The flaw has been fixed 1998-12-24,
> the design was fixed one day later -- Dan's rant is outdated since then,
> and when asked why he doesn't fix the document for fairness and mention
> the bug is fixed, he says that's because Venema hasn't
> apologized. Calumny/Defamation and Coercion/"Blackmail".

we can debate the history of this kind of thing ad naseum and we will 
probably disagree (having both "lived through it" so we already have 
well-formed perspectives), but here's an important point:

venema has had serious *design* bugs in his software.  bernstein has not.  
both have had situations of sub-optimal functioning under particular 
operating systems or particular circumstances.  both have had sub-optimal 
documentation.  based on the history, i trust qmail significantly more.  
you can refer to me as an "old DJB disciple" if you want (somehow i think 
that you think that this is derogatory; hmmmm), but that is my 
perspective.


> > in any case, all of this is still off-topic. (i thought procmail security 
> > was on-topic since people were talking about how they use it and i was 
> > asking about how to get around needing it, but which MTA is better is 
> > definitely straying, don't you think?).
> 
> It's no more off-topic than MDA issues are. The old DJB disciple game
> (Charles Cazabon has mastered this): call others trolls when you're
> running out of arguments.

i disagree.  i think it's off-topic for the bogofilter list.  i'll stop 
talking about it now (although i'm happy to continue a private discussion 
with you, matthias).

> If you want to discuss my document, please reply in private mail.

t.

-- 

todd underwood, sr. vp & cto
oso grande technologies, inc.
todd at osogrande.com

"The people never give up their liberties but under some delusion."
  	    --Edmund Burke, Speech at County Meeting of Bucks, 1784.

More information about the Bogofilter mailing list