> This is the second integer-related security flaw in DJB's code (and apparently the first exploitable one).

Here is what DJB has to say about the exploitability of Guninski's bug:

  "In May 2005, Georgi Guninski claimed that some
   potential   64-bit portability problems allowed 
   a ``remote exploit in qmail-smtpd.'' This claim 
   is denied. Nobody gives gigabytes of memory to 
   each qmail-smtpd process, so there is no problem 
   with qmail's assumption that allocated array 
   lengths fit comfortably into 32 bits. "

I'm not sure I'm convinced by this line of reasoning :)