:: Re: [DNG] mailing list software
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] mailing list software
I wrote:

> Upon examination, it turns out that the known flaws in Procmail lack any
> credible exploitation scenario. The matter was covered on LWN.net a few
> years ago, and I'm pretty sure nothing has changed substantively.
>
> (I've gone through this discussion several times since then on mailing
> lists, and can dredge up details from those if necessary.)


One was a year ago on this mailing list:


Quoting Adam Borowski (kilobyte@???):

> Note: there indeed was one security vulnerability, but it was
> discovered in
> 2014, while all the "it's dead" brouchacha happened years before.


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618

It's a heap-based buffer overflow in /usr/bin/formail (specifically in
formisc.c). The threat model is a bit far-fetched, IMO. (Normally,
LDA handling only rarely involves formail, which is a filter for munging
messages.)

Distros immediately patched it. AFAIK, basically instead of a
single upstream, there is timely maintenace by various distributions.
Which makes the 'Oh noes! procmail isn't safe!' noises a bit
exaggerated.

https://serverfault.com/questions/876336/is-it-safe-to-use-procmail-in-2017



And then again in July 2018:

Quoting KatolaZ (katolaz@???):

> Again, links before opinions:
>
> https://sourceforge.net/p/net-tools/code/ci/master/tree/
>
> net-tools might be obsolete for many functions, but it's still
> developed, and is surely not "unmaintained" since 17 years ago.


Argue with Jon Corbet, then:
https://lwn.net/Articles/710533/

That was last year. I don't believe there's been a substantial
turnaround despite some checkins. (If I'm mistaken, I'lll find out when
I hear people whose judgment I trust say 'A miracle happened and
net-tools has been fully made reasonable to rely on, again.')

> Let's make another example. procmail


Sure, let's discuss procmail. Unlike net-tools, it's a very modestly
scoped codebase and not central to system security. Since being
orphaned, it's accumulated only two unfixed bugs with alleged security
implications that informed observers consider seriously farfetched, not
to mention actually being bugs in an Email Sanitizer project and Horde,
not procmail itself. So, many including me consider it 'completed' more
than it is 'orphaned', and continue to happily use it rather than
aspiring replacement such as Maildrop, sieve, and sortmail.

Jon Corbet was on the glass-half-empty side of the discussion when he
covered procmail's status, but be sure to read the comment thread.
https://lwn.net/Articles/416901/

> Is anybody here ready to claim that procmail is useless and we should
> replace it just because its development ended 17 years ago, producing
> a damn virtually perfect piece of software, that does *one* thing and
> does it *well*, has been included in all the Linux and *BSD
> distributions in the last 25 years, and did not require any
> maintenance at all for 17 long years? o_O


Certainly not me. But that didn't stop you from pretending as if I'd
advanced that argument. Which was a waste of time on your part, but I
hope you enjoyed the typing practice.