Debian Bug report logs - #64649
qpopper: security hole

Package: qpopper; Maintainer for qpopper is William Pitcock <nenolod@sacredspiral.co.uk>;

Reported by: Joey Hess <joey@kitenet.net>

Date: Thu, 25 May 2000 06:03:33 UTC

Severity: grave

Done: Miquel van Smoorenburg <miquels@cistron.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Miquel van Smoorenburg <miquels@cistron.nl>:
Bug#64649; Package qpopper. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joey@kitenet.net>:
New Bug report received and forwarded. Copy sent to Miquel van Smoorenburg <miquels@cistron.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joey@kitenet.net>
To: submit@bugs.debian.org
Subject: qpopper: security hole
Date: Wed, 24 May 2000 22:46:25 -0700 (PDT)
Package: qpopper
Version: N/A
Severity: grave

As seen at http://lwn.net/2000/0525/a/qpopper.html , qpopper 2.53 has a
security hole that lets a remote user gain shell access. This is not the
same as the fgets() hole in bug #63730

There is a 1 line fix at the bottom of the above url. Note that they get
the file to patch wrong! The actual vulnerable lines are these:

pop_uidl.c:     return (pop_msg (p,POP_SUCCESS, buffer));
pop_uidl.c:     return (pop_msg (p,POP_SUCCESS, buffer));

-- System Information
Debian Release: 2.2
Kernel Version: Linux kite 2.2.14 #1 Mon Jan 10 21:43:42 PST 2000 i686 unknown




Reply sent to Miquel van Smoorenburg <miquels@cistron.nl>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joey@kitenet.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 64649-close@bugs.debian.org (full text, mbox):

From: Miquel van Smoorenburg <miquels@cistron.nl>
To: 64649-close@bugs.debian.org
Subject: Bug#64649: fixed in qpopper 2.53-5
Date: Fri, 26 May 2000 10:35:56 -0400
We believe that the bug you reported is fixed in the latest version of
qpopper, which has been installed in the Debian FTP archive:
qpopper_2.53-5.dsc
  to dists/potato/main/source/mail/qpopper_2.53-5.dsc
  replacing qpopper_2.53-4.dsc
qpopper_2.53-5.dsc
  to dists/woody/main/source/mail/qpopper_2.53-5.dsc
  replacing qpopper_2.53-4.dsc
qpopper_2.53-5_i386.deb
  to dists/potato/main/binary-i386/mail/qpopper_2.53-5.deb
  replacing qpopper_2.53-4.deb
qpopper_2.53-5_i386.deb
  to dists/woody/main/binary-i386/mail/qpopper_2.53-5.deb
  replacing qpopper_2.53-4.deb
qpopper_2.53-5.diff.gz
  to dists/potato/main/source/mail/qpopper_2.53-5.diff.gz
  replacing qpopper_2.53-4.diff.gz
qpopper_2.53-5.diff.gz
  to dists/woody/main/source/mail/qpopper_2.53-5.diff.gz
  replacing qpopper_2.53-4.diff.gz

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 64649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miquel van Smoorenburg <miquels@cistron.nl> (supplier of updated qpopper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.6
Date: Thu, 25 May 2000 14:53:36 +0200
Source: qpopper
Binary: qpopper
Architecture: source i386
Version: 2.53-5
Distribution: frozen unstable
Urgency: high
Maintainer: Miquel van Smoorenburg <miquels@cistron.nl>
Description: 
 qpopper    - Enhanced Post Office Protocol server (POP3).
Closes: 64602 64627 64649
Changes: 
 qpopper (2.53-5) frozen unstable; urgency=high
 .
   * Fix YET ANOTHER security hole that makes it possible to get a
     shell, even with "group mail" priviliges. (closes: #64602, #64649, #64627).
     See http://www.securityfocus.com/vdb/bottom.html?vid=1242
     See also http://www.digibel.org/~b0f/advisors/b0f5-Qpopper.txt
Files: 
 753b232d7b350e8ad52467c450d6e717 584 mail optional qpopper_2.53-5.dsc
 2d4d3d9572126a203d0fe6795ccd4d9b 11707 mail optional qpopper_2.53-5.diff.gz
 ff2068423e682d9a0794f77cd7772aca 52342 mail optional qpopper_2.53-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1

iQB1AwUBOS00DViLscT2F1RZAQF0bgMAlZMFV5HsgRRdG8rlmr9qXb+y/uvZk2gt
ptLsnGTCCv0ubatdrhyDYuWKnMZAuQI9NYD5ISoutZCMooaC5dMgz9XCh2vUX0zg
x8PSD30Yd16CohbCbStTXTUVqDcRdy+T
=pYy8
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:28:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.