Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 269129

Summary: <net-mail/vpopmail-5.4.33, <net-mail/qmailadmin-1.2.15-r1: Integer Overflow for user's quota
Product: Gentoo Security Reporter: Stratos Psomadakis (RETIRED) <psomas>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: anf, eras, qmail-bugs+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.securityfocus.com/archive/1/503375
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Stratos Psomadakis (RETIRED) gentoo-dev 2009-05-09 13:19:14 UTC 
net-mail/vpopmail is prone to several Integer Overflows due that
numeric types of more range are needed to store user's quota nowadays(quota
over 2GB).
bug description here
http://www.securityfocus.com/archive/1/503375

Reproducible: Always
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-05-31 00:00:57 UTC 
*** Bug 378371 has been marked as a duplicate of this bug. ***
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-05-31 00:03:16 UTC 
I have fixed this in qmailadmin-1.2.15-r1 with a custom patch.

This is already fixed in upstream vpopmail-5.4.33.
Upstream vpopmail changelog:
====
5.4.33 -
  Matt Brookings
...
  - Changed relevant quota code to use storage_t 64bit type 
...
===

Arches, please stabilize vpopmail-5.4.33 and qmailadmin-1.2.15-r1.

Target keywords:
qmailadmin-1.2.15-r1: amd64 arm ppc s390 sh sparc x86
vpopmail-5.4.33: amd64 arm ia64 s390 sh sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-06-05 15:27:34 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-05 15:27:50 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-09 11:36:08 UTC 
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-09 11:36:29 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-06-09 11:36:53 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-06-09 12:14:09 UTC 
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-06-11 11:05:15 UTC 
sh stable
Comment 10 Markus Meier gentoo-dev 2013-06-11 18:58:33 UTC 
arm stable, all arches done.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 05:35:43 UTC 
GLSA vote: no.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-14 02:15:40 UTC 
GLSA vote: no.

Closing noglsa.