Qpopper 2.53 remote problem, user can gain gid=mail (fwd)
Instead of the file pop_msg.c, which should be patched as mentioned in the advisory, it seems to be rather pop_uidl.c Cheers, Peter -- Peter Münster http://gmv.spm.univ-rennes1.fr/~peter/ ---------- Forwarded message ---------- Date: Tue, 23 May 2000 09:43:33 -800 From: Prizm <prizm@RESENTMENT.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Qpopper 2.53 remote problem, user can gain gid=mail I have attached to this message the advisory with full details + exploit on this problem. Prizm/b0f,
As some might have already heard, there's a security problem with qpopper shipped with SuSE-6.4 (read the message this one refers to). Until there is an update for the pop package, the problem can be circumvented by using one of the other pop daemons that come with SuSE: /usr/sbin/ipop2d /usr/sbin/ipop3d /usr/sbin/pop3d In order for the other daemon to be used, change the respective line in /etc/inetd.conf from: pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper -s to read: pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d Those pop-daemons are not necessarily capable of the UIDL command, but browsers should workaround this transparently. On Wed, 24 May 2000, Peter Münster wrote:
From: Peter Münster <peter@gmv.spm.univ-rennes1.fr> To: SuSE Securitylist <suse-security@suse.com>, cri-cert@univ-rennes1.fr Date: Wed, 24 May 2000 19:53:32 +0200 (CEST) Subject: [suse-security] Qpopper 2.53 remote problem, user can gain gid=mail (fwd)
Instead of the file pop_msg.c, which should be patched as mentioned in the advisory, it seems to be rather pop_uidl.c Cheers, Peter
Viele Grüße, Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - -
Or, perhaps, all can upgrade to qpopper3.0.2 ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ I don't know if the prob still exists. I'm assuming it has been fixed? Please correct me if I'm wrong. kw /* Keith Warno ** Developer & Sys Admin ** http://www.HaggleWare.com/ */ ----- Original Message ----- From: "Roman Drahtmueller" <draht@uni-freiburg.de> To: <suse-security@suse.de> Sent: 24 May 2000, Wednesday 14:24 Subject: Re: [suse-security] Qpopper 2.53 remote problem, user can gaingid=mail (fwd) As some might have already heard, there's a security problem with qpopper shipped with SuSE-6.4 (read the message this one refers to). Until there is an update for the pop package, the problem can be circumvented by using one of the other pop daemons that come with SuSE: /usr/sbin/ipop2d /usr/sbin/ipop3d /usr/sbin/pop3d In order for the other daemon to be used, change the respective line in /etc/inetd.conf from: pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper -s to read: pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d Those pop-daemons are not necessarily capable of the UIDL command, but browsers should workaround this transparently. On Wed, 24 May 2000, Peter Münster wrote:
From: Peter Münster <peter@gmv.spm.univ-rennes1.fr> To: SuSE Securitylist <suse-security@suse.com>, cri-cert@univ-rennes1.fr Date: Wed, 24 May 2000 19:53:32 +0200 (CEST) Subject: [suse-security] Qpopper 2.53 remote problem, user can gain gid=mail (fwd)
Instead of the file pop_msg.c, which should be patched as mentioned in the advisory, it seems to be rather pop_uidl.c Cheers, Peter
Viele Grüße, Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - - --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Or use cucipop, which is what ships w/OpenBSD. ftp://ftp.informatik.rwth-aachen.de/pub/packages/cucipop/ -- dorqus
Or, perhaps, all can upgrade to qpopper3.0.2
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/
I don't know if the prob still exists. I'm assuming it has been fixed?
Please correct me if I'm wrong.
kw /* Keith Warno
I couldn't verify this problem on a Sun under Solaris 2.6 running qpopper 3.0b14. There is a license issue with the qpopper-3.x in conjunction with the SuSE distributon, if I remember correctly. You'd have to upgrade yourself. Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - -
On Wed, 24 May 2000, Roman Drahtmueller wrote:
Or, perhaps, all can upgrade to qpopper3.0.2
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/
I don't know if the prob still exists. I'm assuming it has been fixed?
Please correct me if I'm wrong.
kw /* Keith Warno
I couldn't verify this problem on a Sun under Solaris 2.6 running qpopper 3.0b14.
There is a license issue with the qpopper-3.x in conjunction with the SuSE distributon, if I remember correctly. You'd have to upgrade yourself.
As far as seen so far from our side, the license must be accepted by the user which means that an update to 3.x is not too easy, maybe it could be handled with an setup program like OSS does that requires to accept the license before installing. Should be doable but the idea rejected(not by me). I've passed the issue to Arvin Schnell (in Cc), maybe you can find an solution(e.g. a fix for 2.53). Arvin is looking at it but I have no date when an fix will be available yet. An Question: Do we need qpopper *or* can we drop it and support the other pop daemons that are already in 6.4 instead? cu, Bernd _________________________________. __. ___. / Bernhard Kaindl (__ (__ [_ / CD Team - Software /___)(__)____)_[__.___________ / PPP - PPPoE - WvDial / SuSE - The Linux Experts / / Fax: 09 11/ 32 06 72 7 / Schanzäckerstr. 10 / / bernhard.kaindl@suse.de / D-90443 Nürnberg / ------------------------------------------------------------
On Wed, 24 May 2000, Roman Drahtmueller wrote:
As some might have already heard, there's a security problem with qpopper shipped with SuSE-6.4 (read the message this one refers to).
Until there is an update for the pop package, the problem can be
Our maintainer is currently building the update RPMs.
circumvented by using one of the other pop daemons that come with SuSE:
Thanks for that... Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (6)
-
Bernhard Kaindl -
dorqus -
Keith Warno -
Peter Münster -
Roman Drahtmueller -
Thomas Biege