tBB wrote: > Oh, then I'm sure you will find this an interesting reading too:
> http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=roaring+penguin+software+vulnerabil%2A&x=0&y=0 It is interesting. Two products and only 5 supposed vulnerabilities in 7 years. (Item 6 is an article I wrote.) Now let's look at the vulnerabilities in detail: 1 Roaring Penguin Software MIMEDefang Unspecified Remote Buffer Overflow Vulnerability (Vulnerabilities) Rank: 1000 I (author of MIMEDefang) discovered that during a code audit. I fixed it and then notified CERT of the vulnerability. I do not believe the vulnerability could be exploited to run arbitrary code, but I decided to play it safe anyway. 2 Roaring Penguin Software MIMEDefang Multiple Unspecified Vulnerabilities (Vulnerabilities) Rank: 888 That was something again that I discovered, fixed and then notified CERT about. It was a NULL pointer dereference possibility. 3 Roaring Penguin PPPoE Denial of Service Vulnerability (Vulnerabilities) Rank: 398 That one I didn't discover. It was fixed within 5 minutes of being reported to me, and the worst that could happen was that a malicious adversary could cause your PPP connection to keep dropping. 4 Roaring Penguin PPPoE Arbitrary File Overwrite Vulnerability (Vulnerabilities) Rank: 369 That one was bogus. See http://archive.cert.uni-stuttgart.de/bugtraq/2005/11/msg00195.html PPPoE was never designed to run SUID-root. Debian decided to run it SUID root. STUPID! That's like saying "cat" is vulnerable if you install it SUID-root. Duh! In response, I made pppoe *refuse* to run SUID-root so idiotic misconfigurations wouldn't be blamed on me. 5 Multiple Vendor Email Message Fragmentation SMTP Filter Bypass Vulnerability (Vulnerabilities) Rank: 282 That's endemic to the message/partial MIME type. So the MIMEDefang filter was tweaked to reject message/partial; problem solved. So yes, three real vulnerabilities across two products in seven years, with only one of them possibly allowing remote execution of arbitrary code (and even that is very doubtful.) I think it stacks up pretty well. Regards, David. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
