It is entirely possible that Qualcomm knew about it for months and have been unable to reveal it.
The first I heard of the problem was this morning.
I've not been able to get a shell, but I have been able to get Qpopper to crash using the exploit. A fixed Qpopper (version 4.0.5fc2) is available now at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>. I plan on releasing 4.0.5 final tomorrow unless I hear of any problems with 4.0.5fc2.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
If you can't be a good example, at least be a horrible warning.
