DSA-259-1 qpopper -- mail user privilege escalation

Debian Security Advisory

DSA-259-1 qpopper -- mail user privilege escalation

Date Reported:

12 Mar 2003

Affected Packages:

qpopper

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2003-0143.

More information:

Florian Heinz heinz@cronon-ag.de posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user "mail" group privileges and a shell on the system. Since the Qvsnprintf function is used elsewhere in qpopper, additional exploits may be possible.

The qpopper package in Debian 2.2 (potato) does not include the vulnerable snprintf implementation. For Debian 3.0 (woody) an updated package is available in version 4.0.4-2.woody.3. Users running an unreleased version of Debian should upgrade to 4.0.4-9 or newer. We recommend you upgrade your qpopper package immediately.

Fixed in:

Debian GNU/Linux 3.0 (stable)

Source:

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3.diff.gz

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4.orig.tar.gz

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3.dsc

alpha (DEC Alpha):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_alpha.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_alpha.deb

arm (ARM):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_arm.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_arm.deb

hppa (HP PA RISC):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_hppa.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_hppa.deb

i386 (Intel ia32):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_i386.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_i386.deb

ia64 (Intel ia64):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_ia64.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_ia64.deb

m68k (Motorola Mc680x0):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_m68k.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_m68k.deb

mips (MIPS (Big Endian)):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_mips.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_mips.deb

mipsel (MIPS (Little Endian)):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_mipsel.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_mipsel.deb

powerpc (PowerPC):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_powerpc.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_powerpc.deb

s390 (IBM S/390):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_s390.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_s390.deb

sparc (Sun SPARC/UltraSPARC):

http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.3_sparc.deb

http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.3_sparc.deb

MD5 checksums of the listed files are available in the original advisory.