Debian Security Advisory
qpopper -- buffer overflow in qpopper
- Date Reported:
- 15 Dec 1999
- Affected Packages:
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 133.
In Mitre's CVE dictionary: CVE-1999-0006.
- More information:
A buffer overflow was reported in the beta of Qualcomm's qpopper version 3.
This version of qpopper is not included in Debian; the version of qpopper
shipped with Debian GNU/Linux 2.1 (qpopper 2.3-4) is not vulnerable
to the overflow.
The vulnerability is caused by not bounds checking the input buffers, when using vsprintf or sprintf. For details see the Stuttgart BugTraq archive or the SecurityFocus archive. Both links refer to the same email from Qpopper Support at Qualcomm and include the original bug report from Mixter.