Qualcomm's QPopper POP3 E-mail Server Lets Remote Users Execute Arbitrary Code with Root-Level Privileges, Giving Root-Level Access - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > Qpopper

Vendors: Qualcomm

Qualcomm's QPopper POP3 E-mail Server Lets Remote Users Execute Arbitrary Code with Root-Level Privileges, Giving Root-Level Access

SecurityTracker Alert ID: 1001670

SecurityTracker URL: http://securitytracker.com/id/1001670

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jun 2 2001

Impact: Execution of arbitrary code via network, Root access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): all versions of 4.0 prior to 4.0.3

Description: A vulnerability has been reported in the QPopper POP3 e-mail server that allows remote users to execute arbitrary code on the server, typically with root level privileges.

The vulnerability is reportedly due to a buffer overflow. No other details were released by Qualcomm.

Impact: A remote user can cause arbitrary code to be executed by the POP3 server, which generally has root-level privileges, allowing the remote user to gain root-level access to the server.

Solution: The vendor has released a fixed version. Qpopper 4.0.3 is available at: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/

Vendor URL: www.eudora.com/qpopper/ (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

(Caldera/SCO Issues Fix) Qualcomm's QPopper POP3 E-mail Server Lets Remote Users Execute Arbitrary Code with Root-Level Privileges, Giving Root-Level Access (sco-security@caldera.com)
The vendor has released a fix.

Source Message Contents

Date: Sat, 2 Jun 2001 10:37:44 -0500 (CDT)
Subject: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)



Forwarded from the qpopper list.

---------- Forwarded message ----------
Date: Fri, 1 Jun 2001 23:28:20 -0700
From: Qpopper Support <qpopper@qualcomm.com>
To: Qpopper Public List <qpopper@lists.pensive.org>,
     qpopper-announce@rohan.qualcomm.com
Cc: qpopper@qualcomm.com
Subject: Qpopper 4.0.3 **** Fixes Buffer Overflow ****

Qpopper 4.0.3 is available at
<ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>.


**** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 --
PLEASE UPGRADE IMMEDIATELY ***


Changes from 4.0.2 to 4.0.3:
----------------------------
  1.  Don't call SSL_shutdown unless we tried to negotiate an
      SSL session.  (As suggested by Kenneth Porter.)
  2.  Fix buffer overflow  (reported by Gustavo Viscaino).
  3.  Fixed empty password treated as empty command (patch
      submitted by Michael Smith and others).
  4.  Added patch by Carles Xavier Munyoz to fix erroneous
      scanning for \n in getline().
  5.  Fix from Arvin Schnell for warnings on 64-bit systems.
  6.  Added patch by Clifton Royston to change error message
      for nonauthfile and authfile tests.
  7.  Added 'uw-kludge' as synonym for 'uw-kluge'.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC