Joined: 12 May 2004
|Posted: Mon May 23, 2005 8:10 pm Post subject: [ GLSA 200505-17 ] Qpopper: Multiple Vulnerabilities
|Gentoo Linux Security Advisory
Title: Qpopper: Multiple Vulnerabilities (GLSA 200505-17)
Date: May 23, 2005
Qpopper contains two vulnerabilities allowing an attacker to overwrite arbitrary files and create files with insecure permissions.
Qpopper is a widely used server for the POP3 protocol.
Vulnerable: < 4.0.5-r3
Unaffected: >= 4.0.5-r3
Architectures: All supported architectures
Jens Steube discovered that Qpopper doesn't drop privileges to process local files from normal users (CAN-2005-1151). The upstream developers discovered that Qpopper can be forced to create group or world writeable files (CAN-2005-1152).
A malicious local attacker could exploit Qpopper to overwrite arbitrary files as root or create new files which are group or world writeable.
There is no known workaround at this time.
All Qpopper users should upgrade to the latest available version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/qpopper-4.0.5-r3"
Last edited by GLSA on Sun May 07, 2006 4:57 pm; edited 1 time in total