Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 90622
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
patch.CAN-2005-1151.qpopper patch.CAN-2005-1151.qpopper patch Sune Kloppenborg Jeppesen 2005-04-27 08:10 0000 5.16 KB Details | Diff
patch.CAN-2005-1152.qpopper patch.CAN-2005-1152.qpopper patch Sune Kloppenborg Jeppesen 2005-04-27 08:10 0000 1.01 KB Details | Diff
qpopper-CAN-2005-1151.patch qpopper-CAN-2005-1151.patch patch Fernando J. Pereda (RETIRED) 2005-05-08 02:54 0000 4.52 KB Details | Diff
qpopper-CAN-2005-1152.patch qpopper-CAN-2005-1152.patch patch Fernando J. Pereda (RETIRED) 2005-05-08 02:56 0000 429 bytes Details | Diff
qpopper-4.0.5-r2.patch qpopper-4.0.5-r2.patch patch Fernando J. Pereda (RETIRED) 2005-05-08 02:59 0000 1.36 KB Details | Diff
qpopper-4.0.5-r2.ebuild qpopper-4.0.5-r2.ebuild text/plain Fernando J. Pereda (RETIRED) 2005-05-09 11:58 0000 3.60 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 90622 depends on: Show dependency tree
Bug 90622 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-04-27 08:09 0000 
Two bugs have been discovered in qpopper, an enhanced Post Office
Protocol (POP3) server.  The Common Vulnerability and Exposures
project identifies the following problems:

CAN-2005-1151

    Jens Steube discovered that while processing local files owned or
    provided by a normal user privileges weren't dropped, which could
    lead to the overwriting or creation of arbitrary files as root.

CAN-2005-1152

    The upstream developers noticed that qpopper could be tricked to
    creating group- or world-writable files.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-04-27 08:10:04 0000 ------- 
Created an attachment (id=57390) [details]
patch.CAN-2005-1151.qpopper

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-04-27 08:10:33 0000 ------- 
Created an attachment (id=57391) [details]
patch.CAN-2005-1152.qpopper

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-05-08 01:03:25 0000 ------- 
Ferdy please advise. Please do NOT commit anything to CVS, disclosure date is
still unknown.

------- Comment #4 From Fernando J. Pereda (RETIRED) 2005-05-08 02:53:06 0000 ------- 
Those patches do not apply directly so I edited them a bit and now they apply
and qpopper works as expected.

Cheers,
Ferdy

------- Comment #5 From Fernando J. Pereda (RETIRED) 2005-05-08 02:54:40 0000 ------- 
Created an attachment (id=58328) [details]
qpopper-CAN-2005-1151.patch

Edited patch to apply cleanly in our ebuild. (removed debian crap + fixed first
chunk )

------- Comment #6 From Fernando J. Pereda (RETIRED) 2005-05-08 02:56:08 0000 ------- 
Created an attachment (id=58329) [details]
qpopper-CAN-2005-1152.patch

Removed debian crap to apply cleanly

------- Comment #7 From Fernando J. Pereda (RETIRED) 2005-05-08 02:59:54 0000 ------- 
Created an attachment (id=58330) [details]
qpopper-4.0.5-r2.patch

Patch to the current qopper-4.0.5-r2.ebuild to apply both CAN patches.

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-05-08 05:04:23 0000 ------- 
Calling individual devs to test. Please do NOT commit anything to CVS. Please
test the patches provided on this bug and report back here.

x86: langthang
sparc: gustavoz@gentoo.org

------- Comment #9 From Fernando J. Pereda (RETIRED) 2005-05-09 11:58:28 0000 ------- 
Created an attachment (id=58505) [details]
qpopper-4.0.5-r2.ebuild

I attach updated ebuild since gustavoz had problems with the patch I sent.

------- Comment #10 From Tuan Van (RETIRED) 2005-05-09 15:20:11 0000 ------- 
tested with normal (110) and tls (995) using xinetd on x86.

------- Comment #11 From Gustavo Zacarias (RETIRED) 2005-05-10 08:12:49 0000 ------- 
Looks good on sparc too.

------- Comment #12 From Sune Kloppenborg Jeppesen 2005-05-10 09:05:16 0000 ------- 
Thx everyone.

CC'ing Stefan so he can draft.

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-05-10 09:43:57 0000 ------- 
Ferdy URL apparently has changed to:
http://www.eudora.com/products/unsupported/qpopper/index.html

------- Comment #14 From Fernando J. Pereda (RETIRED) 2005-05-10 11:13:24 0000 ------- 
Ok, done. Thanks

Cheers,
Ferdy

------- Comment #15 From Sune Kloppenborg Jeppesen 2005-05-13 22:10:30 0000 ------- 
Reporter contacted again for clarification on disclosure date.

------- Comment #16 From Thierry Carrez (RETIRED) 2005-05-20 08:50:38 0000 ------- 
Coordinated Release set to Monday 2005/05/23

------- Comment #17 From Sune Kloppenborg Jeppesen 2005-05-23 12:13:04 0000 ------- 
Ferdy, we have a go, please commit.

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-05-23 13:04:29 0000 ------- 
GLSA 200505-17
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug