About our new discovery, Daniel J. Bernstein issues the following
statement:
"https://cr.yp.to/qmail/guarantee.html has for many years mentioned
qmail's assumption that allocated array lengths fit comfortably into
32 bits. I run each qmail service under softlimit -m12345678, and I
recommend the same for other installations."
I am more and more convinced that djb does not understand software engineering.
I mentally predicted before clicking through that this would be a remote code execution vulnerability which affects most or all qmail installations in the world, and that djb would refuse to pay the bounty, and he would give the usual blame-the-user excuse along the lines of 'if you had done this separate thing mentioned in the documentation which I may be the only person to actually do, the vulnerability would not work'. Imagine my shock when I clicked through.
