Info

Disclosure

May 23, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Qpopper contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Qpopper fails to set a proper umask for its process, causing it to create unspecified group- and world-writable files which could contribute to further attacks including privilege escalation.

Classification

Location: Local Access Required
Attack Type: Input Manipulation, Misconfiguration, Race Condition
Impact: Loss of Confidentiality
Exploit: Exploit Rumored / Private
Disclosure: OSVDB Verified

Solution

Upgrade to version 4.08 or higher, as it has been reported to fix this vulnerability. In addition, Gentoo and Debian have released patches for some older versions.

Products

QUALCOMM Incorporated	Qpopper	4.0.7
		4.0.6
		4.0.5
		4.0.4
		4.0.3
		3.1
		3.1.2
		3.0
		3.0.1
		3.0.2

References

Bugtraq ID: 13714
Secunia Advisory ID: 15475 15478 15505 15629 16413
Related OSVDB ID: 16810
CVE ID: 2005-1152 (see also: NVD)
Vendor Specific News/Changelog Entry: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes
Other Advisory URL: http://www.debian.org/security/2005/dsa-728
http://www.debian.org/security/2005/dsa-773
http://www.gentoo.org/security/en/glsa/glsa-200505-17.xml
http://www.novell.com/linux/security/advisories/2005_14_sr.html
Vendor URL: http://www.eudora.com/products/unsupported/qpopper/index.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

QUALCOMM Incorporated

Qpopper

References

Credit