Re: Questions about Qpopper security
At 5/24/2005 06:00 PM, Daniel Senie wrote: 4.0.7 certainly had the fix, as I did some testing to verify it on Linux. Randall probably would know better where the code first was merged in. 4.0.8 also has it. See my other note for the limited case where it was even an issue. Most ISP implementations of qpopper likely were never vulnerable at all. Thanks. I read through the changes too quickly as Tim pointed out that I missed the following in the changes from 4.0.5 to 4.0.6: 25. Process user and spool config files as user, not as root (fix security hole reported by Jens Steube)
Re: Questions about Qpopper security
At 06:53 PM 5/24/2005, Mike wrote: At 5/24/2005 03:31 PM, Ken A wrote: The email you forwarded gives you the answer: --- Package / Vulnerable / Unaffected --- 1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3 versions 4.05-rc3 and up are not vulnerable. I saw that in the advisory, but it still left me unsure as to whether non-packaged versions of Qpopper were available because: 1) There are sometimes vulnerabilities in packages that do not exist when one compiles from source 2) There is no source package with the version 4.0.5-r3 3) The two CVE entries for the vulnerabilities are so new (April 18, 2005) that the entries do not contain any detail about the vulnerabilities, suggesting that the vulnerabilities may not have been known when beta two of Qpopper 4.0.6 was released in Sept. 2004 or even in 4.0.7, which was released on April 25, 2005. 4.0.7 certainly had the fix, as I did some testing to verify it on Linux. Randall probably would know better where the code first was merged in. 4.0.8 also has it. See my other note for the limited case where it was even an issue. Most ISP implementations of qpopper likely were never vulnerable at all.
Re: Questions about Qpopper security
At 06:18 PM 5/24/2005, Mike wrote:
Hi all,
I just came across this security advisory from Gentoo Linux today and was
wondering whether these vulnerabilities affect the latest release (4.0.8)
of Qpopper. This is the first time in a VERY long time that I've seen a
security advisory affected Qpopper so kudos to the developers for that.
I've checked the changelog at
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes and didn't find
any notes describing fixes of the vulnerabilities similar to those
described in the security advisory below (not dropping privileges to
process local files from normal users (CAN-2005-1151) and creating group
or world writeable files (CAN-2005-1152).)
So,
1. Does Qpopper 4.0.8 from
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ have the
vulnerabilities described in the Gentoo security advisory or is this a
Gentoo-specific issue?
2. If not, how long before we can expect a new release to address the
vulnerabilities below.
The issue was addressed in the recent releases (including 4.0.8). Unless
you were using per-user config files ('set user-options' in a config file),
no risk existed.
Re: Questions about Qpopper security
The email you forwarded gives you the answer: --- Package / Vulnerable / Unaffected --- 1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3 versions 4.05-rc3 and up are not vulnerable. Ken Mike wrote: Hi all, I just came across this security advisory from Gentoo Linux today and was wondering whether these vulnerabilities affect the latest release (4.0.8) of Qpopper. This is the first time in a VERY long time that I've seen a security advisory affected Qpopper so kudos to the developers for that. I've checked the changelog at ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes and didn't find any notes describing fixes of the vulnerabilities similar to those described in the security advisory below (not dropping privileges to process local files from normal users (CAN-2005-1151) and creating group or world writeable files (CAN-2005-1152).) So, 1. Does Qpopper 4.0.8 from ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ have the vulnerabilities described in the Gentoo security advisory or is this a Gentoo-specific issue? 2. If not, how long before we can expect a new release to address the vulnerabilities below. Thanks! security advisory below- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Qpopper: Multiple Vulnerabilities Date: May 23, 2005 Bugs: #90622 ID: 200505-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Qpopper contains two vulnerabilities allowing an attacker to overwrite arbitrary files and create files with insecure permissions. Background == Qpopper is a widely used server for the POP3 protocol. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3 Description === Jens Steube discovered that Qpopper doesn't drop privileges to process local files from normal users (CAN-2005-1151). The upstream developers discovered that Qpopper can be forced to create group or world writeable files (CAN-2005-1152). Impact == A malicious local attacker could exploit Qpopper to overwrite arbitrary files as root or create new files which are group or world writeable. Workaround == There is no known workaround at this time. Resolution == All Qpopper users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/qpopper-4.0.5-r3" References == [ 1 ] CAN-2005-1151 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1151 [ 2 ] CAN-2005-1152 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1152
Re: Questions about Qpopper security
At 5/24/2005 03:31 PM, Ken A wrote: The email you forwarded gives you the answer: --- Package / Vulnerable / Unaffected --- 1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3 versions 4.05-rc3 and up are not vulnerable. I saw that in the advisory, but it still left me unsure as to whether non-packaged versions of Qpopper were available because: 1) There are sometimes vulnerabilities in packages that do not exist when one compiles from source 2) There is no source package with the version 4.0.5-r3 3) The two CVE entries for the vulnerabilities are so new (April 18, 2005) that the entries do not contain any detail about the vulnerabilities, suggesting that the vulnerabilities may not have been known when beta two of Qpopper 4.0.6 was released in Sept. 2004 or even in 4.0.7, which was released on April 25, 2005.
Questions about Qpopper security
Hi all, I just came across this security advisory from Gentoo Linux today and was wondering whether these vulnerabilities affect the latest release (4.0.8) of Qpopper. This is the first time in a VERY long time that I've seen a security advisory affected Qpopper so kudos to the developers for that. I've checked the changelog at ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes and didn't find any notes describing fixes of the vulnerabilities similar to those described in the security advisory below (not dropping privileges to process local files from normal users (CAN-2005-1151) and creating group or world writeable files (CAN-2005-1152).) So, 1. Does Qpopper 4.0.8 from ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ have the vulnerabilities described in the Gentoo security advisory or is this a Gentoo-specific issue? 2. If not, how long before we can expect a new release to address the vulnerabilities below. Thanks! security advisory below- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Qpopper: Multiple Vulnerabilities Date: May 23, 2005 Bugs: #90622 ID: 200505-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Qpopper contains two vulnerabilities allowing an attacker to overwrite arbitrary files and create files with insecure permissions. Background == Qpopper is a widely used server for the POP3 protocol. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3 Description === Jens Steube discovered that Qpopper doesn't drop privileges to process local files from normal users (CAN-2005-1151). The upstream developers discovered that Qpopper can be forced to create group or world writeable files (CAN-2005-1152). Impact == A malicious local attacker could exploit Qpopper to overwrite arbitrary files as root or create new files which are group or world writeable. Workaround == There is no known workaround at this time. Resolution == All Qpopper users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/qpopper-4.0.5-r3" References == [ 1 ] CAN-2005-1151 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1151 [ 2 ] CAN-2005-1152 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1152
