Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93254 - dev-java/sun-javamail-bin MimeMessage Information Disclosure (CAN-2005-1682)
Summary: dev-java/sun-javamail-bin MimeMessage Information Disclosure (CAN-2005-1682)
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/bid/13683
Whiteboard: B4 [upstream+]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-19 14:11 UTC by Adir Abraham
Modified: 2005-09-03 02:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adir Abraham 2005-05-19 14:11:35 UTC
From SecurityFocus.com:

The MimeMessage method in the Sun JavaMail API does not perform sufficient
validation on message number values that are passed to the method during
requests. An attacker that can successfully authenticate to an email server
implementation that is written using the Sun JavaMail API, may exploit this
issue to make requests for arbitrary email messages that are stored on the server.

--

I am not sure if it actually effects us at the moment, since it says that
versions 1.3 and 1.3.2 are vulnerable. In the tree we have version 1.3.1. Please
decide what to do with the bug and check if it effects 1.3.1 too.

Reproducible: Always
Steps to Reproduce:
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-19 14:16:56 UTC
java please advise. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:13:35 UTC
No fix yet from Sun.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 09:48:15 UTC
1.3.3 is in "early release" stage. Maybe it contains the fixorz.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 02:32:57 UTC
1.3.3 is out, and apparently the thing wasn't fixed :
http://java.sun.com/products/javamail/CHANGES.txt

I think we should close this one as CANTFIX and declare this a feature, not a
vulnerability. Servers using JavaMail for implementation can put protections in
place to avoid the problem...
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-09-03 02:39:52 UTC
Since upstream doesn't consider this a vulnerability, we'll suppose tey consider
it is a feature to be able to request any messageno as any user, and the task of
the API implementer to put additional safeguards if needed.

Closing as CANTFIX. Reopen if you disagree.