Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 93254

Summary: dev-java/sun-javamail-bin MimeMessage Information Disclosure (CAN-2005-1682)
Product: Gentoo Security Reporter: Adir Abraham <adirab>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED CANTFIX    
Severity: minor CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/bid/13683
Whiteboard: B4 [upstream+]
Package list:
Runtime testing required: ---

Description Adir Abraham 2005-05-19 14:11:35 UTC
From SecurityFocus.com:

The MimeMessage method in the Sun JavaMail API does not perform sufficient
validation on message number values that are passed to the method during
requests. An attacker that can successfully authenticate to an email server
implementation that is written using the Sun JavaMail API, may exploit this
issue to make requests for arbitrary email messages that are stored on the server.

--

I am not sure if it actually effects us at the moment, since it says that
versions 1.3 and 1.3.2 are vulnerable. In the tree we have version 1.3.1. Please
decide what to do with the bug and check if it effects 1.3.1 too.

Reproducible: Always
Steps to Reproduce:
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-19 14:16:56 UTC
java please advise. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:13:35 UTC
No fix yet from Sun.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 09:48:15 UTC
1.3.3 is in "early release" stage. Maybe it contains the fixorz.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 02:32:57 UTC
1.3.3 is out, and apparently the thing wasn't fixed :
http://java.sun.com/products/javamail/CHANGES.txt

I think we should close this one as CANTFIX and declare this a feature, not a
vulnerability. Servers using JavaMail for implementation can put protections in
place to avoid the problem...
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-09-03 02:39:52 UTC
Since upstream doesn't consider this a vulnerability, we'll suppose tey consider
it is a feature to be able to request any messageno as any user, and the task of
the API implementer to put additional safeguards if needed.

Closing as CANTFIX. Reopen if you disagree.