DSA-553-1 getmail -- symlink vulnerability

Debian Security Advisory

DSA-553-1 getmail -- symlink vulnerability

Date Reported:

27 Sep 2004

Affected Packages:

getmail

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 272561.
In Mitre's CVE dictionary: CVE-2004-0880, CVE-2004-0881.

More information:

A security problem has been discovered in getmail, a POP3 and APOP mail gatherer and forwarder. An attacker with a shell account on the victims host could utilise getmail to overwrite arbitrary files when it is running as root.

For the stable distribution (woody) this problem has been fixed in version 2.3.7-2.

For the unstable distribution (sid) this problem has been fixed in version 3.2.5-1.

We recommend that you upgrade your getmail package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2.dsc

http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2.diff.gz

http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2_all.deb

MD5 checksums of the listed files are available in the original advisory.