GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Mon May 23, 2005 8:10 pm Post subject: [ GLSA 200505-17 ] Qpopper: Multiple Vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: Qpopper: Multiple Vulnerabilities (GLSA 200505-17)
Severity: normal
Exploitable: local
Date: May 23, 2005
Bug(s): #90622
ID: 200505-17
Synopsis
Qpopper contains two vulnerabilities allowing an attacker to overwrite arbitrary files and create files with insecure permissions.
Background
Qpopper is a widely used server for the POP3 protocol.
Affected Packages
Package: net-mail/qpopper
Vulnerable: < 4.0.5-r3
Unaffected: >= 4.0.5-r3
Architectures: All supported architectures
Description
Jens Steube discovered that Qpopper doesn't drop privileges to process local files from normal users (CAN-2005-1151). The upstream developers discovered that Qpopper can be forced to create group or world writeable files (CAN-2005-1152).
Impact
A malicious local attacker could exploit Qpopper to overwrite arbitrary files as root or create new files which are group or world writeable.
Workaround
There is no known workaround at this time.
Resolution
All Qpopper users should upgrade to the latest available version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/qpopper-4.0.5-r3" |
References
CAN-2005-1151
CAN-2005-1152
Last edited by GLSA on Sun May 07, 2006 4:57 pm; edited 1 time in total |
|
News & Announcements
