Hi Simon,Any comment on why it took over a month to react to this reported vulnerability?
You'll note that it has taken me almost a month to respond to your message. This is mostly because I get very distracted very easily.
When the initial bug report came in, it was evaluated as fairly low vulnerability (all it contained was the fact that you could overwrite a malloc'd buffer), since the only obvious overflows would cause the entire process to crash. Sadly, I didn't think of process reuse---nor did I fully understand the GNU malloc implementation that makes this an exploitable overflow on certain architectures.
Timo wrote back approximately 2 weeks later that he could demonstrate an exploit on Debian linux. We had a new version about a week later after a small amount of back and forth with Timo about what a good solution might be.
I suspect that future exploits will be handled similiarly. We have to make a initial guess on how important any information sent to cyrus-bugs is, since there's no one here who is solely devoted to Cyrus maintaince. I guess our (mostly my) initial triaging was off on this.A comment explaining why it took so long and what happened in the meantime would be useful in extrapolating how future vulneribilities will be handled. If this has already been discussed somewhere, I am sorry for duplicating the discussion and would appreciate a pointer.
Note that the Sieve vulnerabilities were reported significantly later and were therefore fixed with, what I'd call, all due speed.
I hope this helps.
Larry
