> Date: Sat, 16 Mar 2002 09:05:55 -1000
> From: Clifton Royston <[EMAIL PROTECTED]>
>
> On Sat, Mar 16, 2002 at 08:30:50AM -0500, Alan Brown wrote:
> > I haven't seen this reported here
>
> I've corresponded briefly with the author and tried to reproduce it.
>
> I can't see the problem as described on any of my BSD/OS systems, e.g.
> when pasting a string of 2560 'a's at the initial prompt ('user'
> command input state.) qpopper reports a -ERR error message and, yes,
> fails to exit promptly as it should, but unlike the problem
description
> it takes 0.0% CPU and terminates normally when the socket connection
is
> broken by disconnecting.
>
> I think it must be an OS-dependent problem, though there clearly is a
> bug there in its not cutting off the client promptly after the error.
Dustin said that he had only tested on RedHat 7.2 ...
> -- Clifton
>
> > ---------- Forwarded message ----------
> > Date: 15 Mar 2002 01:51:10 -0000
> > From: Dustin Childers <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Bug in QPopper (All Versions?)
> >
> >
> > Description:
> > When sending a string that has 2048+ characters in
> > it, the
> > in.qpopper or popper process will begin to use
> > massive
> > amounts of CPU and will not stop until it is manually
> > killed.
> >
> > Versions Affected:
> > I tested this on 4.0.1 and 4.0.3.
> > 4.0.2 is probably vulnerable also.
> > Older versions may also be vulnerable. I haven't
> > tested those.
> >
> > This works locally and remotely.
> >
> > Patch Information:
> > I attempted to patch this but I was not successful. I
> > found
> > that the most reasonable place for this would be the
> > msg_buf
> > in popper/main.c or msg_buf in
> > password/poppassd.c.
> >
> > Dustin E. Childers
> > Security Administrator
> > http://www.digitux.net/
>
> --
> Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED]
> WWJD? "JWRTFM!" - Scott Dorsey (kludge) "JWG" - Eddie Aikau
---------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3479
San Jose, CA 95134 | Internet: [EMAIL PROTECTED]
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as
one... the sky's the limit.
