On Sun, 2008-05-18 at 12:45 +0200, Matthias Andree wrote:
On Sun, 18 May 2008, Timo Sirainen wrote:
passdb vpopmail { #args = }
vpopmail would be one possibility, I have some doubts about its security.
Can you detail the spots you deem could take some more observation or investigation?
I haven't looked at its code for several years now, but when I was implementing support for it the code didn't look all that secure. For example I had to add a workaround to Dovecot to make it work at all, because parse_email() didn't correctly NUL-terminate the output string:
/* vpop_user must be zero-filled or parse_email() leaves an
extra character after the user name. we'll fill vpop_domain
as well just to be sure... */
memset(vpop_user, '\0', VPOPMAIL_LIMIT);
memset(vpop_domain, '\0', VPOPMAIL_LIMIT);
if (parse_email(request->user, vpop_user, vpop_domain,
VPOPMAIL_LIMIT-1) < 0) {Also a quick look at its sources again shows that it uses strncpy() and strncat() wrong pretty much everywhere. Especially the strncat() calls are no better at protecting against buffer overflows than strcat().. But I don't know if any of these are actually exploitable. Probably not.