nanog mailing list archives

Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 23 Mar 2006 21:08:54 -0500


On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron <ge () linuxbox org>
wrote:

It took Sendmail a mounth to fix this. A mounth.

A mounth!

With such Vendor Responsibility, perhaps it is indeed a Good Thing to go
Full Disclosure. It seems like history is repeating itself and Full
Disclosure is once again not only a choice, but necessary to make vendors
become responsible.


Given the scope of the changes you describe -- you wrote "Sendmail.com's
patch is so big they may as well have re-released the whole program."
-- I can't get upset at taking a month to fix it.  You're dealing with
asynchronous events, which are really hard to start with.  I suspect
that they spent some time deciding how to fix it -- you don't appear
thrilled with their choice, but I don't know what other options they
considered -- and then actually tested the new code.  Given how many of
our security problems are due to buggy and inadequately-tested code, I
suspect that taking a month was actually being quite responsible.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,, (continued)
- - - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Alain Hebert (Mar 24)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Randy Bush (Mar 24)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Alain Hebert (Mar 24)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Michael . Dillon (Mar 27)
  - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 24)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Steven M. Bellovin (Mar 24)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 25)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Valdis . Kletnieks (Mar 25)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Valdis . Kletnieks (Mar 25)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Dragos Ruiu (Mar 23)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Steven M. Bellovin (Mar 23)
  - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Dragos Ruiu (Mar 23)
  - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 24)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Brandon Butterworth (Mar 25)
  - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 25)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Matt Ghali (Mar 25)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Christopher L. Morrow (Mar 25)
    - FUD and exploit code [was: Re: SendGate: Sendmail Multiple Vulnerabilities] Gadi Evron (Mar 25)
    - Re: FUD and exploit code [was: Re: SendGate: Sendmail Multiple Vulnerabilities] Matt Ghali (Mar 26)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Todd Vierling (Mar 26)
    - Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Martin Hannigan (Mar 26)

(Thread continues...)