Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 107357 - net-mail/qpopper possible poppassd Insecure Trace File Creation Vulnerability
Summary: net-mail/qpopper possible poppassd Insecure Trace File Creation Vulnerability
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/16935/
Whiteboard: [ ? ]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-26 22:20 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-10-01 03:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-26 22:20:06 UTC 
Description: 
kcope has discovered a vulnerability in Qpopper, which can be exploited by 
malicious, local users to perform certain actions on a vulnerable system with 
escalated privileges. 
  
 The vulnerability is caused due to trace files being created without dropping 
root privileges, and with insecure file permissions by "poppassd", which is 
suid root. This can be exploited to create or modify arbitrary files with the 
privileges of the root user. 
  
 The vulnerability has been confirmed in version 4.0.8. Other versions may 
also be affected. 
 
Solution: 
Grant only trusted users access to affected systems.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-01 03:34:37 UTC 
In fact we don't install poppassd, so we are not affected.