On Mon, 08 Dec 2008 19:12:26 +0100, Bernhard Brehm said:
> I (re)discovered the bug independently in mid 2007. The bug was however
> known before. There are some advisories like secunia.com/advisories/11360/
> (for Eudora, bug still unfixed) by people who discovered the problem
> before, but did not publicly announce or did not see the scope of it. More
> recently, there has been a likewise advisory for sendmail, CVE-2006-1173.
> There have been other advisories for different antivirus solutions. This
> bug is not 0-day at all, it is really old. If you find older advisories,
> which cover this bug, or knew it before, mail me so I can update this
> section.
You want *real* loads of fun? Go read up on message/partial ;)
"Nesty" and "multikill" were already recognized as a potential issue all the
way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned
Freed thought that deep nesting was more likely to be an issue:
http://www.imc.org/ietf-calendar/archive1/msg00487.html
* To: Mike Weston <mweston@xxxxxxxxxxxx>
* Subject: Re: More on merged drafts.
* From: Ned Freed <Ned.Freed@xxxxxxxxxxxx>
* Date: Fri, 06 Dec 1996 14:01:39 -0800 (PST)
* Cc: Alec Dun <AlecDu@xxxxxxxxxxxxxxxxxxxxxx>, fdawson@xxxxxxxxxxxxx,
ietf-calendar@xxxxxxx
* In-reply-to: "Your message dated Fri, 06 Dec 1996 10:58:29 -0800"<>
* References: <>
* Sender: owner-ietf-calendar@xxxxxxx
> Alec Dun wrote:
> >
> > I believe MIME is the right way to encapsulate objects following
> > reasons:
> >
> > 1. MIME already has a way to represent multiple objects in a message.
> My guess would be that if many MIME parsers were presented with a
> multipart MIME message with thousands of parts (like someone's entire
> schedule for a few months), they would blow up. This is just orders of
> magnitude more complex than this mechanism is typically called upon to
> handle today.
Maybe I'm just overly proud of my own implementation, but I don't think that
most implementations will have a problem handling this sort of thing. I
routinely receive MIME messages with anywhere from several dozen to several
hundred attachments and have no real problem with it.
Nesting is very different matter, BTW. I can readily believe that many
implementations won't handle MIME structure nesting a thousand levels deep. (I
also have experience in this area to back up this assessment.) But the usage
being proposed here isn't a deeply nested structure, at least not as far as I
can tell.
Attachment:
pgpIhBm9kNWWT.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/