Bug#330123: qpopper: poppassd local root exploit?
Package: qpopper Version: 4.0.5-4 Severity: important Tags: security Hi! On full-disclosure, there was a posting about a local root exploit in Qpopper: http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037377.html I haven't looked into this issue myself, so I leave the severity at important. Please raise it to critical if the exploit really works, or just close this bug if it is bogus. Thanks in advance for checking, and have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developerhttp://www.debian.org signature.asc Description: Digital signature
Bug#330123: qpopper: poppassd local root exploit?
Does the Debian package ship poppassd? I don't think so: $ dpkg -L qpopper | grep bin /usr/bin /usr/bin/popauth /usr/sbin /usr/sbin/in.qpopper $ dpkg -l qpopper [...] ii qpopper4.0.5-4Enhanced Post Office Protocol server (POP3) $ However, password/Makefile.in does indeed install poppassd SUID root, and the -t option allows appending data to some user-specific file. *sigh* To sum it up: The bug report appears to be real, but Debian's package does not seem to be affected. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]