Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 105458

Summary: net-mail/mailutils format string vulnerability in imap4d
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-mail
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407
Whiteboard: C1? [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-09-09 23:05:35 UTC
This patch fixes format string vulnerability in Mailutils 0.6 imap4d search   
command.   
 
Fix is there: 
 
http://savannah.gnu.org/patch/download.php?item_id=4407&item_file_id=5160 
  
Original advisory:  
  
http://www.idefense.com/application/poi/display?id=303&type=vulnerabilities&flashstatus=false
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-09 23:07:10 UTC
net-mail do we install any init script for imap4d and if so which user does it 
run as? Please advise and bump as necessary. 
Comment 2 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-10 01:57:09 UTC
No, we don't install an init script for imap4d. I'll try to bump it later.

Cheers,
Ferdy
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-10 07:21:38 UTC
Rerating as C1 (marginal software with specific configuration) still it is  
rated as major severity.  
Comment 4 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-10 15:53:39 UTC
mailutils-0.6-r2 is in CVS with that patch.

Cheers,
Ferdy
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-09-11 02:41:14 UTC
Keyworded alright, ready for GLSA
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-11 02:52:04 UTC
Let's have a vote, because impact is not that obvious...

Authenticated users may execute code as the user imap4d runs at. Since imap4d
apparently supports non-system auth, this may open the system to unauthorized
access... I tend to vote YES.
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-11 03:08:15 UTC
We don't provide an init script and only authenticated users can supposedly 
exploit the vulnerability. I vote NO. 
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-14 03:14:22 UTC
I vote YES, for the reasons koon mentioned.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-14 03:18:58 UTC
yes over here, too
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 05:33:13 UTC
GLSA 200509-10