Debian Security Advisory

qpopper -- buffer overflow in qpopper

Date Reported:
15 Dec 1999
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 133.
In Mitre's CVE dictionary: CVE-1999-0006.
More information:
A buffer overflow was reported in the beta of Qualcomm's qpopper version 3. This version of qpopper is not included in Debian; the version of qpopper shipped with Debian GNU/Linux 2.1 (qpopper 2.3-4) is not vulnerable to the overflow.

The vulnerability is caused by not bounds checking the input buffers, when using vsprintf or sprintf. For details see the Stuttgart BugTraq archive or the SecurityFocus archive. Both links refer to the same email from Qpopper Support at Qualcomm and include the original bug report from Mixter.