Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 107357

Summary: net-mail/qpopper possible poppassd Insecure Trace File Creation Vulnerability
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/16935/
Whiteboard: [ ? ]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-26 22:20:06 UTC
Description: 
kcope has discovered a vulnerability in Qpopper, which can be exploited by 
malicious, local users to perform certain actions on a vulnerable system with 
escalated privileges. 
  
 The vulnerability is caused due to trace files being created without dropping 
root privileges, and with insecure file permissions by "poppassd", which is 
suid root. This can be exploited to create or modify arbitrary files with the 
privileges of the root user. 
  
 The vulnerability has been confirmed in version 4.0.8. Other versions may 
also be affected. 
 
Solution: 
Grant only trusted users access to affected systems.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-01 03:34:37 UTC
In fact we don't install poppassd, so we are not affected.