Hi all,
I just came across this security advisory from Gentoo Linux today and was
wondering whether these vulnerabilities affect the latest release (4.0.8)
of Qpopper. This is the first time in a VERY long time that I've seen a
security advisory affected Qpopper so kudos to the developers for that.
I've checked the changelog at
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes and didn't find
any notes describing fixes of the vulnerabilities similar to those
described in the security advisory below (not dropping privileges to
process local files from normal users (CAN-2005-1151) and creating group or
world writeable files (CAN-2005-1152).)
So,
1. Does Qpopper 4.0.8 from
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ have the vulnerabilities
described in the Gentoo security advisory or is this a Gentoo-specific issue?
2. If not, how long before we can expect a new release to address the
vulnerabilities below.
Thanks!
--------security advisory below-----------------------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200505-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Qpopper: Multiple Vulnerabilities
Date: May 23, 2005
Bugs: #90622
ID: 200505-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Qpopper contains two vulnerabilities allowing an attacker to overwrite
arbitrary files and create files with insecure permissions.
Background
==========
Qpopper is a widely used server for the POP3 protocol.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3
Description
===========
Jens Steube discovered that Qpopper doesn't drop privileges to process
local files from normal users (CAN-2005-1151). The upstream developers
discovered that Qpopper can be forced to create group or world
writeable files (CAN-2005-1152).
Impact
======
A malicious local attacker could exploit Qpopper to overwrite arbitrary
files as root or create new files which are group or world writeable.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Qpopper users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/qpopper-4.0.5-r3"
References
==========
[ 1 ] CAN-2005-1151
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1151
[ 2 ] CAN-2005-1152
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1152
