Sendmail 8.13.7 released

[yesthattom]

While I am a Postfix user, I still try to keep up to date with what’s happening with Sendmail. Sendmail release 8.13.7 fixes a security problem that can be triggered by, well, I’ll let you read the message:

It fixes a potential denial of service problem caused by excessive recursion which leads to stack exhaustion when attempting delivery of a malformed MIME message. Therefore, the function mime8to7() has been modified to limit the recursion level at (the compile time constant) MAXMIMENESTING.

I got all excited in a computer-security-geeky-kind-of-way when I read this. I though, “cool! Are we now going to see a rash of new security holes as everyone checks their source code for recursive functions and figures out ways to trigger infinite recursion?”

Then I realized... hardly anyone uses recursion. There will be no rash. Dang. :)

Comments

[stormsweeper.livejournal.com]

I don't know about hardly anyone; it's pretty common in Java. Still, excessive recursion is usually a sign of someone trying to be too clever.

[docstrange.livejournal.com]

Recursion DoS issues are loooong-standing in email - especially antivirus products that open up various archive files to see what's inside. Hilarity ensues. Most limit to some arbitrary level of recursion. Recursion has also been fun to try for packet filter evasion - IP-in-IP has been used to test firewalls. Imagine IP-in-IPX-in-IP-in-IPX-in-IP....

[misteropinion.livejournal.com]

Recursion is the event-driven programming of the regular programmer---easier to get wrong than you think, thus it's either used by the clever-yet-uncaring-of-resources or the think-they're-too-clever-for-words. At least, IMO.

I love it because it's frugal of lines of code, at least usually.

[lilbjorn.livejournal.com]

There will be no rash. Dang.

No recurses! Foiled again.

[cpj.livejournal.com]

I think I'm just going to hold out for Sendmail X.