qpopper 4.0.5 and earlier does not properly drop privileges before processing certain user-supplied files, which allows local users to overwrite or create arbitrary files as root.

This advisory adds security support for the stable amd64 distribution.
It covers all security updates since the release of sarge, which were missing updated packages for the not yet official amd64 port. Future security advisories will include updates for this port as well.

Qpopper was handling user files while running as root. Qpopper could also be tricked into overwriting system files. CVE-2005-1151 and CVE-2005-1152 have been assigned to these issues.

Jens Steube reports that qpopper is vulnerable to a privilege escalation vulnerability. qpopper does not properly drop root privileges so that user-supplied configuration and trace files can be processed with root privileges. This could allow a local attacker to create or modify arbitrary files.

qpopper is also affected by improper umask settings which could allow users to create group or world-writeable files, possibly allowing an attacker to overwrite arbitrary files.

This advisory does only cover updated packages for Debian 3.0 alias woody. For reference below is the original advisory text :

  Two bugs have been discovered in qpopper, an enhanced Post Office   Protocol (POP3) server. The Common Vulnerabilities and Exposures   project identifies the following problems :

    - CAN-2005-1151       Jens Steube discovered that while processing local       files owned or provided by a normal user privileges       weren't dropped, which could lead to the overwriting       or creation of arbitrary files as root.

    - CAN-2005-1152

      The upstream developers noticed that qpopper could be       tricked to creating group- or world-writable files.

The remote host is affected by the vulnerability described in GLSA-200505-17 (Qpopper: Multiple Vulnerabilities)

    Jens Steube discovered that Qpopper doesn't drop privileges to     process local files from normal users (CAN-2005-1151). The upstream     developers discovered that Qpopper can be forced to create group or     world writeable files (CAN-2005-1152).
  Impact :

    A malicious local attacker could exploit Qpopper to overwrite     arbitrary files as root or create new files which are group or world     writeable.
  Workaround :

    There is no known workaround at this time.

According to its banner, the remote host is running a version of the Qpopper POP3 server that suffers from two local, insecure file handling vulnerabilities.  First, it fails to properly drop root privileges when processing certain local files, which could lead to overwriting or creation of arbitrary files as root.  And second, it fails to set the process umask, potentially allowing creation of group- or world-writable files.

The remote host is running Qpopper, a POP3 mail server for Unix-type systems.
This version of Qpopper is vulnerable to multiple local configuration flaws.
A local attacker exploiting these flaws would be able to elevate privileges
on the Qpopper system.

ID	Name	Product	Family	Severity
57528	Debian DSA-773-1 : amd64 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
41072	SuSE9 Security Update : qpopper (YOU Patch Number 10045)	Nessus	SuSE Local Security Checks	high
21530	FreeBSD : qpopper -- multiple privilege escalation vulnerabilities (eb29a575-3381-11da-8340-000e0c2e438a)	Nessus	FreeBSD Local Security Checks	high
18515	Debian DSA-728-2 : qpopper - missing privilege release	Nessus	Debian Local Security Checks	high
18381	GLSA-200505-17 : Qpopper: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
18361	Qpopper < 4.0.6 Multiple Insecure File Handling Local Privilege Escalation	Nessus	Misc.	high
2935	Qualcomm Qpopper < 4.0.5 Multiple Local Privilege Escalation	Nessus Network Monitor	POP Server	high

Detections

Analytics

CVE-2005-1151

medium

Tenable Plugins

critical

high

high

high

high

high

high