Emacs movemail Format String Flaw May Let Remote POP Servers Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1013100 |
|
SecurityTracker URL: http://securitytracker.com/id/1013100
|
|
CVE Reference:
CAN-2005-0100
(Links to External Site)
|
Date: Feb 7 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 21.4.17
|
Description:
A vulnerability was reported in Emacs in the 'movemail' utility. A remote user may be able to execute arbitrary code on the target system.
The vendor reported that a remote POP3 mail server can send a specially crafted response to a connected movemail client to trigger a format string flaw and execute arbitrary code on the target client. The code will execute with the privileges of the movemail process. On some systems, movemail is configured with set group id (setgid) 'mail' group privileges.
The flaw resides in 'movemail.c'.
Max Vozeler is credited with discovering this flaw.
|
Impact:
A remote POP3 server can execute arbitrary code on a connected client with the privileges of the movemail process.
|
Solution:
A fixed version of XEmacs (21.4.17) is available at:
ftp://ftp.xemacs.org/pub/xemacs/xemacs-21.4
|
Vendor URL: www.gnu.org/software/emacs/emacs.html (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 7 Feb 2005 10:51:39 -0500
Subject: http://list-archive.xemacs.org/xemacs-announce/200502/msg00001.html
|
> * movemail.c (popmail): Pass error string as format parameter
> instead of as part of format string. Security fixes for
> CAN-2005-0100.
|
|
