LinuxQuestions.org - Qmail vulnerability posted

This will probably be posted in the weekly security wrap any way, but since it's a very common MTA I thought I'd give a heads-up. The information comes from the SANS Institute.

Quote:

***********************************************************

(2) LOW: qmail Long SMTP Session Handling Vulnerability
Affected: qmail version 1.03 running on Linux

Description: qmail is the second most popular SMTP server (next to the
sendmail) used on the Internet. qmail reportedly contains a
vulnerability in its handling of long SMTP sessions. The flaw may be
exploited to overwrite qmail process memory with user-supplied data. By
manipulating the user-supplied data, it is possible to crash the active
SMTP session and it may be possible to execute arbitrary code.
Researchers investigating the problem currently believe the flaw is not
exploitable for code execution purposes however. A proof-of-concept
program that causes the memory overwrite has been publicly posted.

Status: Vendor has been notified. No updates are available.

Council Site Actions: The affected software is in use (on internal
networks) at only two of the reporting council sites. These sites plan
to deploy the patches once they are available. One site plans to do a
more extensive assessment of their qmail deployment if evidence surfaces
that indicates that the problem can be remotely exploited.

References:
Posting by Georgi Guninski (discovered the flaw)
http://archives.neohapsis.com/archiv...4-01/0452.html
http://www.guninski.com/qmailcrash.html
Posting by Gregory Steuck
http://archives.neohapsis.com/archiv...4-01/0730.html
Secunia Advisory
http://www.secunia.com/advisories/10649
qmail Homepage
http://www.qmail.org
SecurityFocus BID
http://www.securityfocus.com/bid/9432