Two bugs have been discovered in qpopper, an enhanced Post Office
Protocol (POP3) server. The Common Vulnerability and Exposures
project identifies the following problems:
Jens Steube discovered that while processing local files owned or
provided by a normal user privileges weren't dropped, which could
lead to the overwriting or creation of arbitrary files as root.
The upstream developers noticed that qpopper could be tricked to
creating group- or world-writable files.
Created attachment 57390 [details, diff]
Created attachment 57391 [details, diff]
Ferdy please advise. Please do NOT commit anything to CVS, disclosure date is still unknown.
Those patches do not apply directly so I edited them a bit and now they apply and qpopper works as expected.
Created attachment 58328 [details, diff]
Edited patch to apply cleanly in our ebuild. (removed debian crap + fixed first
Created attachment 58329 [details, diff]
Removed debian crap to apply cleanly
Created attachment 58330 [details, diff]
Patch to the current qopper-4.0.5-r2.ebuild to apply both CAN patches.
Calling individual devs to test. Please do NOT commit anything to CVS. Please test the patches provided on this bug and report back here.
Created attachment 58505 [details]
I attach updated ebuild since gustavoz had problems with the patch I sent.
tested with normal (110) and tls (995) using xinetd on x86.
Looks good on sparc too.
CC'ing Stefan so he can draft.
Ferdy URL apparently has changed to: http://www.eudora.com/products/unsupported/qpopper/index.html
Ok, done. Thanks
Reporter contacted again for clarification on disclosure date.
Coordinated Release set to Monday 2005/05/23
Ferdy, we have a go, please commit.