Debian Bug report logs - #64649
qpopper: security hole

Package: qpopper; Maintainer for qpopper is William Pitcock <>;

Reported by: Joey Hess <>

Date: Thu, 25 May 2000 06:03:33 UTC

Severity: grave

Done: Miquel van Smoorenburg <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Miquel van Smoorenburg <>:
Bug#64649; Package qpopper. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <>:
New Bug report received and forwarded. Copy sent to Miquel van Smoorenburg <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Joey Hess <>
Subject: qpopper: security hole
Date: Wed, 24 May 2000 22:46:25 -0700 (PDT)
Package: qpopper
Version: N/A
Severity: grave

As seen at , qpopper 2.53 has a
security hole that lets a remote user gain shell access. This is not the
same as the fgets() hole in bug #63730

There is a 1 line fix at the bottom of the above url. Note that they get
the file to patch wrong! The actual vulnerable lines are these:

pop_uidl.c:     return (pop_msg (p,POP_SUCCESS, buffer));
pop_uidl.c:     return (pop_msg (p,POP_SUCCESS, buffer));

-- System Information
Debian Release: 2.2
Kernel Version: Linux kite 2.2.14 #1 Mon Jan 10 21:43:42 PST 2000 i686 unknown

Reply sent to Miquel van Smoorenburg <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Miquel van Smoorenburg <>
Subject: Bug#64649: fixed in qpopper 2.53-5
Date: Fri, 26 May 2000 10:35:56 -0400
We believe that the bug you reported is fixed in the latest version of
qpopper, which has been installed in the Debian FTP archive:
  to dists/potato/main/source/mail/qpopper_2.53-5.dsc
  replacing qpopper_2.53-4.dsc
  to dists/woody/main/source/mail/qpopper_2.53-5.dsc
  replacing qpopper_2.53-4.dsc
  to dists/potato/main/binary-i386/mail/qpopper_2.53-5.deb
  replacing qpopper_2.53-4.deb
  to dists/woody/main/binary-i386/mail/qpopper_2.53-5.deb
  replacing qpopper_2.53-4.deb
  to dists/potato/main/source/mail/qpopper_2.53-5.diff.gz
  replacing qpopper_2.53-4.diff.gz
  to dists/woody/main/source/mail/qpopper_2.53-5.diff.gz
  replacing qpopper_2.53-4.diff.gz

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Miquel van Smoorenburg <> (supplier of updated qpopper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing


Format: 1.6
Date: Thu, 25 May 2000 14:53:36 +0200
Source: qpopper
Binary: qpopper
Architecture: source i386
Version: 2.53-5
Distribution: frozen unstable
Urgency: high
Maintainer: Miquel van Smoorenburg <>
 qpopper    - Enhanced Post Office Protocol server (POP3).
Closes: 64602 64627 64649
 qpopper (2.53-5) frozen unstable; urgency=high
   * Fix YET ANOTHER security hole that makes it possible to get a
     shell, even with "group mail" priviliges. (closes: #64602, #64649, #64627).
     See also
 753b232d7b350e8ad52467c450d6e717 584 mail optional qpopper_2.53-5.dsc
 2d4d3d9572126a203d0fe6795ccd4d9b 11707 mail optional qpopper_2.53-5.diff.gz
 ff2068423e682d9a0794f77cd7772aca 52342 mail optional qpopper_2.53-5_i386.deb

Version: 2.6.3ia
Charset: latin1


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Mon Apr 21 06:28:40 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.