Summary: | net-mail/mailutils format string vulnerability in imap4d | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407 | ||
Whiteboard: | C1? [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-09-09 23:05:35 UTC
net-mail do we install any init script for imap4d and if so which user does it run as? Please advise and bump as necessary. No, we don't install an init script for imap4d. I'll try to bump it later. Cheers, Ferdy Rerating as C1 (marginal software with specific configuration) still it is rated as major severity. mailutils-0.6-r2 is in CVS with that patch. Cheers, Ferdy Keyworded alright, ready for GLSA Let's have a vote, because impact is not that obvious... Authenticated users may execute code as the user imap4d runs at. Since imap4d apparently supports non-system auth, this may open the system to unauthorized access... I tend to vote YES. We don't provide an init script and only authenticated users can supposedly exploit the vulnerability. I vote NO. I vote YES, for the reasons koon mentioned. yes over here, too GLSA 200509-10 |