Two bugs have been discovered in qpopper, an enhanced Post Office Protocol (POP3) server. The Common Vulnerability and Exposures project identifies the following problems: CAN-2005-1151 Jens Steube discovered that while processing local files owned or provided by a normal user privileges weren't dropped, which could lead to the overwriting or creation of arbitrary files as root. CAN-2005-1152 The upstream developers noticed that qpopper could be tricked to creating group- or world-writable files.
Created attachment 57390 [details, diff] patch.CAN-2005-1151.qpopper
Created attachment 57391 [details, diff] patch.CAN-2005-1152.qpopper
Ferdy please advise. Please do NOT commit anything to CVS, disclosure date is still unknown.
Those patches do not apply directly so I edited them a bit and now they apply and qpopper works as expected. Cheers, Ferdy
Created attachment 58328 [details, diff] qpopper-CAN-2005-1151.patch Edited patch to apply cleanly in our ebuild. (removed debian crap + fixed first chunk )
Created attachment 58329 [details, diff] qpopper-CAN-2005-1152.patch Removed debian crap to apply cleanly
Created attachment 58330 [details, diff] qpopper-4.0.5-r2.patch Patch to the current qopper-4.0.5-r2.ebuild to apply both CAN patches.
Calling individual devs to test. Please do NOT commit anything to CVS. Please test the patches provided on this bug and report back here. x86: langthang sparc: gustavoz@gentoo.org
Created attachment 58505 [details] qpopper-4.0.5-r2.ebuild I attach updated ebuild since gustavoz had problems with the patch I sent.
tested with normal (110) and tls (995) using xinetd on x86.
Looks good on sparc too.
Thx everyone. CC'ing Stefan so he can draft.
Ferdy URL apparently has changed to: http://www.eudora.com/products/unsupported/qpopper/index.html
Ok, done. Thanks Cheers, Ferdy
Reporter contacted again for clarification on disclosure date.
Coordinated Release set to Monday 2005/05/23
Ferdy, we have a go, please commit.
GLSA 200505-17
