Re: EMERGENCY: new remote root exploit in UW imapd

To: BUGTRAQ@xxxxxxxxxxxx
Subject: Re: EMERGENCY: new remote root exploit in UW imapd
From: "D. J. Bernstein" <djb@xxxxxxxx>
Date: Tue, 28 Jul 1998 10:18:36 -0000
Approved-by: aleph1@DFW.NET
Reply-to: "D. J. Bernstein" <djb@xxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxx>

Beware of the Dijkstra phenomenon.

The phenomenon is that immodular code seems more ``productive'' than
heavily modularized code. You can read or write many more lines per hour
of malloc(), strcpy(), free() than of unfamiliar high-level routines.

Of course, the modular code ends up being _much_ smaller. It also lets
you independently check the correctness of each module; this scales to
arbitrarily large systems if the modules remain small.

Adam Shostack writes:
> we attempted to look at the qmail source.  (.89 or .91 or so).

Things have changed since then. For example, I documented most of the
Sub-Standard C Library(tm) in 1997.

> We were rarely sure when the code segments we were looking at
> were considered security critical.

Anything touching the user's mail is security-critical---maybe not from
root's point of view, but certainly from the user's point of view.

---Dan
Binary qmail distributions are allowed! http://pobox.com/~djb/qmail/dist.html

Prev by Date: Re: Fwd: Any user can panic OpenBSD machine
Next by Date: Re: Fwd: Any user can panic OpenBSD machine
Previous by thread: Re: EMERGENCY: new remote root exploit in UW imapd
Next by thread: Re: EMERGENCY: new remote root exploit in UW imapd
Index(es):
- Date
- Thread