From owner-freebsd-isp Thu Dec 5 16:28:53 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE3D037B401 for ; Thu, 5 Dec 2002 16:28:51 -0800 (PST) Received: from majordomo.vol.cz (smtp4.vol.cz [195.250.128.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F47543EC2 for ; Thu, 5 Dec 2002 16:28:50 -0800 (PST) (envelope-from dan@obluda.cz) Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106]) by majordomo.vol.cz (8.12.6/8.12.6) with ESMTP id gB60SmDR062646 for ; Fri, 6 Dec 2002 01:28:49 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <3DEFEBE9.4030203@obluda.cz> Date: Fri, 06 Dec 2002 01:14:33 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2b) Gecko/20021106 X-Accept-Language: en, cs MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Re: Sendmail + Milter + Amavis-Milter References: <011b01c29bb8$e84096f0$92660ac8_ms.vianetworks.net.ar@ns.sol.net> In-Reply-To: <011b01c29bb8$e84096f0$92660ac8_ms.vianetworks.net.ar@ns.sol.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hnunez@vianetworks.com.ar wrote, On 12/04/02 18:16: > Hi, > > I would like to setup Sendmail + Milter-ng + Amavis with milter > interface. ... > cc -DAMAVISD_SOCKET=\"/var/run/amavis/milter.amavis\" > -DRUNTIME_DIR=\"/var > /spool/amavis\" -DPID_FILE=\"/var/run/amavis/amavis-milter.pid\" -o > amavis-milter amavis-milter.c -L/usr/lib/libmilter/ -lmilter -lpthread Please note, the amavis-milter.c is poor quality code with several potential bugs and race conditions including but not limited to two buffer overflows (the remote exploitability is unknown) and unchecked string allocations (strdup) with potential NULL dereferencing. I sent the list of those bugs with suggested patch to author of the code, but got no response. Maybe, I know no correct place to sent the PR to ... I'm not sure if use of amavis-milter.c is real security risk (in doubth we should answer "yes", of course), but I'm pretty sure it is untrustable quick-hack-only quality code ... Dan -- Dan Lukes tel: +420 2 21914205, fax: +420 2 21914206 root of FIONet, KolejNET, webmaster of www.freebsd.cz AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message