On Wed, Mar 27, 2002 at 05:55:42AM -0800, Jeff Gray wrote: > Any word from Qualcomm or others about a patch for this bug? > > I would prefer to use an 'official patch' but prefer not to leave this > hole open if no patch is forthcoming.
I'm going to go out on a limb here and say what I believe the problem factors to be in this situation and why it hasn't happened yet; I do believe it would have been reasonable to have an "official patch" to Qpopper out by this point, though there are reasons it hasn't happened. (Bear in mind that I have no relationship with Qualcomm whatsoever and I'm not a spokesperson for any of the developers.) 1) Qpopper seems to be transitioning from a company-supported to a community-supported piece of software. However, the website is still run by Randy Gellens of Qualcomm, he is still the authority on the software and what goes in, and everyone in the community (certainly including myself) would rather defer to him for what kind of patch should be official. 2) As I understant it Randy Gellens was travelling at an IETF meeting at the time of this bug announcement and had limited access to try to reproduce and analyse the bug. To complicate matters further, at least one of the other volunteer developers was travelling too. 3) In addition I believe Randy was given incomplete or misleading information about the nature of the bug, due to the vagueness of the original disclosure. 4) The routine where the exploitable vulnerability occurred seems kind of a mess. I'm pretty sure after looking at it that there is more than one bug in it. (Indeed, Randy might have been looking at a different bug than I was trying to fix with my patch.) I think Randy and other developers are reluctant to issue an "official" patch that may close one vulnerability and leaves another, or even creates another. The SecurityFocus guys seem to have the same concern. However, it's a tricky routine to rewrite from scratch without the risk of introducing all-new bugs. 5) Even though I had a patch that seems to fix it, I haven't wanted to push that on the whole world for the same reasons as everyone else in (4) - I'm not sure it correctly fixes everything. It probably doesn't, in fact. 6) I've had some kind of messed up SSH tunnel configuration problem. Every couple days I work on it again and pull my hair some more. This has kept me from submitting my patch through the normal channels it should go through, which other Qpopper developers could reasonably expect me to submit it for evaluation. Add all this up, plus some inertia because everyone has "day jobs" and I think the continuing absence of an official patch is adequately explained. Having said all that, I do honestly think you're better off applying the little patch I wrote rather than doing nothing. This *is* known to close at least one of the vulnerabilities seen by at least one exploit script, on at least some sites which were vulnerable in 4.0.3. It also fixes another (non-exploitable?) bug where the daemon hangs around too long in the case of a client disconnecting prematurely. When there's an "official patch", then by all means you should uninstall this and install the official Qualcommm one. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED] "What do we need to make our world come alive? What does it take to make us sing? While we're waiting for the next one to arrive..." - Sisters of Mercy