I've recently had to take a small diversion from getting Mercury/32 v4.5 ready for release to prepare a patch for v4.01. The patch works around a vulnerability in the IMAP server where sending IMAP "literals" formatted in a particular way would crash the running copy of Mercury/32. While I was at it, I corrected a couple of fairly significant memory leaks in the IMAP server - these had been discovered during the implementation of the audited memory allocation manager in v4.5 (see my last blog post for more on this).
Having to prepare patches like this raises very mixed feelings in me: on the one hand, I accept that vulnerabilities are inevitable in software that exposes itself to the world, and feel that I should be grateful that the vulnerability was discovered before (as far as we know) any particular damage resulted from it. On the other hand, though, some of the people who seem to spend so much time discovering these vulnerabilities also strike me as being sad, dangerous individuals with fairly significant social problems. The fact that I had to learn about this vulnerability very indirectly (i.e, the person who discovered it made no effort to report it to me) annoys and saddens me. OK, get your jollies by trying to break other peoples' work - that's fine, and it's even quite constructive and helpful from a certain perspective; but if you succeed, for Heaven's sake tell the author so he can fix it! Any kudos you might get for being such a clever bunny and discovering an obscure problem is immediately eviscerated by not acting responsibly with that discovery.
Anyway, to whomever discovered this weakness - my sincerest thanks: one day, perhaps I'll be able to meet you and shake you warmly by the throat.
-- David --