On Wed, Mar 27, 2002 at 05:55:42AM -0800, Jeff Gray wrote:
> Any word from Qualcomm or others about a patch for this bug?
>
> I would prefer to use an 'official patch' but prefer not to leave this
> hole open if no patch is forthcoming.
I'm going to go out on a limb here and say what I believe the problem
factors to be in this situation and why it hasn't happened yet; I do
believe it would have been reasonable to have an "official patch" to
Qpopper out by this point, though there are reasons it hasn't happened.
(Bear in mind that I have no relationship with Qualcomm whatsoever and
I'm not a spokesperson for any of the developers.)
1) Qpopper seems to be transitioning from a company-supported to a
community-supported piece of software. However, the website is still
run by Randy Gellens of Qualcomm, he is still the authority on the
software and what goes in, and everyone in the community (certainly
including myself) would rather defer to him for what kind of patch
should be official.
2) As I understant it Randy Gellens was travelling at an IETF meeting
at the time of this bug announcement and had limited access to try to
reproduce and analyse the bug. To complicate matters further, at least
one of the other volunteer developers was travelling too.
3) In addition I believe Randy was given incomplete or misleading
information about the nature of the bug, due to the vagueness of the
original disclosure.
4) The routine where the exploitable vulnerability occurred seems
kind of a mess. I'm pretty sure after looking at it that there is more
than one bug in it. (Indeed, Randy might have been looking at a
different bug than I was trying to fix with my patch.) I think Randy
and other developers are reluctant to issue an "official" patch that
may close one vulnerability and leaves another, or even creates
another. The SecurityFocus guys seem to have the same concern.
However, it's a tricky routine to rewrite from scratch without the risk
of introducing all-new bugs.
5) Even though I had a patch that seems to fix it, I haven't wanted
to push that on the whole world for the same reasons as everyone else
in (4) - I'm not sure it correctly fixes everything. It probably
doesn't, in fact.
6) I've had some kind of messed up SSH tunnel configuration problem.
Every couple days I work on it again and pull my hair some more. This
has kept me from submitting my patch through the normal channels it
should go through, which other Qpopper developers could reasonably
expect me to submit it for evaluation.
Add all this up, plus some inertia because everyone has "day jobs"
and I think the continuing absence of an official patch is adequately
explained.
Having said all that, I do honestly think you're better off applying
the little patch I wrote rather than doing nothing. This *is* known to
close at least one of the vulnerabilities seen by at least one exploit
script, on at least some sites which were vulnerable in 4.0.3. It also
fixes another (non-exploitable?) bug where the daemon hangs around too
long in the case of a client disconnecting prematurely.
When there's an "official patch", then by all means you should
uninstall this and install the official Qualcommm one.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED]
"What do we need to make our world come alive?
What does it take to make us sing?
While we're waiting for the next one to arrive..." - Sisters of Mercy
