Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90622 - net-mail/qpopper Two issues (CAN-2005-115{1|2})
Summary: net-mail/qpopper Two issues (CAN-2005-115{1|2})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-27 08:09 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-05-23 13:09 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch.CAN-2005-1151.qpopper (patch.CAN-2005-1151.qpopper,5.16 KB, patch)
2005-04-27 08:10 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
patch.CAN-2005-1152.qpopper (patch.CAN-2005-1152.qpopper,1.01 KB, patch)
2005-04-27 08:10 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
qpopper-CAN-2005-1151.patch (qpopper-CAN-2005-1151.patch,4.52 KB, patch)
2005-05-08 02:54 UTC, Fernando J. Pereda (RETIRED)
no flags Details | Diff
qpopper-CAN-2005-1152.patch (qpopper-CAN-2005-1152.patch,429 bytes, patch)
2005-05-08 02:56 UTC, Fernando J. Pereda (RETIRED)
no flags Details | Diff
qpopper-4.0.5-r2.patch (qpopper-4.0.5-r2.patch,1.36 KB, patch)
2005-05-08 02:59 UTC, Fernando J. Pereda (RETIRED)
no flags Details | Diff
qpopper-4.0.5-r2.ebuild (qpopper-4.0.5-r2.ebuild,3.60 KB, text/plain)
2005-05-09 11:58 UTC, Fernando J. Pereda (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-04-27 08:09:10 UTC
Two bugs have been discovered in qpopper, an enhanced Post Office
Protocol (POP3) server.  The Common Vulnerability and Exposures
project identifies the following problems:

CAN-2005-1151

    Jens Steube discovered that while processing local files owned or
    provided by a normal user privileges weren't dropped, which could
    lead to the overwriting or creation of arbitrary files as root.

CAN-2005-1152

    The upstream developers noticed that qpopper could be tricked to
    creating group- or world-writable files.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-27 08:10:04 UTC
Created attachment 57390 [details, diff]
patch.CAN-2005-1151.qpopper
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-27 08:10:33 UTC
Created attachment 57391 [details, diff]
patch.CAN-2005-1152.qpopper
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-08 01:03:25 UTC
Ferdy please advise. Please do NOT commit anything to CVS, disclosure date is still unknown.
Comment 4 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-08 02:53:06 UTC
Those patches do not apply directly so I edited them a bit and now they apply and qpopper works as expected.

Cheers,
Ferdy
Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-08 02:54:40 UTC
Created attachment 58328 [details, diff]
qpopper-CAN-2005-1151.patch

Edited patch to apply cleanly in our ebuild. (removed debian crap + fixed first
chunk )
Comment 6 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-08 02:56:08 UTC
Created attachment 58329 [details, diff]
qpopper-CAN-2005-1152.patch

Removed debian crap to apply cleanly
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-08 02:59:54 UTC
Created attachment 58330 [details, diff]
qpopper-4.0.5-r2.patch

Patch to the current qopper-4.0.5-r2.ebuild to apply both CAN patches.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-08 05:04:23 UTC
Calling individual devs to test. Please do NOT commit anything to CVS. Please test the patches provided on this bug and report back here.

x86: langthang
sparc: gustavoz@gentoo.org
Comment 9 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-09 11:58:28 UTC
Created attachment 58505 [details]
qpopper-4.0.5-r2.ebuild

I attach updated ebuild since gustavoz had problems with the patch I sent.
Comment 10 Tuan Van (RETIRED) gentoo-dev 2005-05-09 15:20:11 UTC
tested with normal (110) and tls (995) using xinetd on x86.
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-10 08:12:49 UTC
Looks good on sparc too.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-10 09:05:16 UTC
Thx everyone.

CC'ing Stefan so he can draft.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-10 09:43:57 UTC
Ferdy URL apparently has changed to: http://www.eudora.com/products/unsupported/qpopper/index.html
Comment 14 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-10 11:13:24 UTC
Ok, done. Thanks

Cheers,
Ferdy
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-13 22:10:30 UTC
Reporter contacted again for clarification on disclosure date.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 08:50:38 UTC
Coordinated Release set to Monday 2005/05/23
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-23 12:13:04 UTC
Ferdy, we have a go, please commit. 
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-23 13:04:29 UTC
GLSA 200505-17