GLSA
Veteran
Joined: 12 May 2004
Posts: 1303
|
 Posted: Mon Nov 27, 2006 9:26 am Post subject: [ GLSA 200611-22 ] Ingo H3: Folder name shell command inject |
 |
|
Gentoo Linux Security Advisory
Title: Ingo H3: Folder name shell command injection (GLSA 200611-22)
Severity: normal
Exploitable: remote
Date: November 27, 2006
Bug(s): #153927
ID: 200611-22
Synopsis
Ingo H3 is vulnerable to arbitrary shell command execution when handling procmail rules.
Background
Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and IMAP filter rules.
Affected Packages
Package: www-apps/horde-ingo
Vulnerable: < 1.1.2
Unaffected: >= 1.1.2
Architectures: All supported architectures
Description
Ingo H3 fails to properly escape shell metacharacters in procmail rules.
Impact
A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server.
Workaround
Don't use procmail with Ingo H3.
Resolution
All Ingo H3 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-ingo-1.1.2" |
References
CVE-2006-5449 |
|
News & Announcements
