Bug 26730

Summary:	net-mail/teapop
Product:	Gentoo Security	Reporter:	Daniel Ahlberg (RETIRED) <aliz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	net-mail+disabled
Priority:	Highest
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Daniel Ahlberg (RETIRED) gentoo-dev

2003-08-16 10:13:33 UTC

-------------------------------------------------------------------------- 
Debian Security Advisory DSA 347-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
July 8th, 2003                          http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : teapop 
Vulnerability  : SQL injection 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2003-0515 
 
teapop, a POP-3 server, includes modules for authenticating users 
against a PostgreSQL or MySQL database.  These modules do not properly 
escape user-supplied strings before using them in SQL queries.  This 
vulnerability could be exploited to execute arbitrary SQL under the 
privileges of the database user as which teapop has authenticated.

Comment 1 solar (RETIRED) gentoo-dev

2003-09-22 00:38:34 UTC

net-mail/teapop-0.3.5 is still in the portage tree. It needs to be package.masked fixed or removed from the tree all together.

I see no updated versions at the teapop homepage at
http://www.toontown.org/teapop/download.php

patches/workarounds welcome.

Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev

2003-09-30 13:01:17 UTC