[Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
Timo Sirainen
tss at iki.fi
Sun Mar 9 13:28:20 EET 2008
On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote:
> Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had
> missing parameters
Thanks, I kept trying to figure out what caused this and then started
wondering about password escaping and found the security hole. I still
hadn't figured out what caused this though, until I realized that
passwords can have linefeeds as well which can cause this.
> Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
This still shouldn't happen though. I didn't try to reproduce this yet.
It's anyway quite difficult to get core dumps out of login processes.
I'm not sure if FreeBSD lets you do that in some special way, but there
are at least two things in the way:
1. Kernel thinks it's a setuid program, and setuid programs don't core
dump.
2. It's chrooted to a non-writable directory.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080309/c2e56385/attachment.bin
More information about the dovecot
mailing list