Debian Security Advisory

DSA-259-1 qpopper -- mail user privilege escalation

Date Reported:
12 Mar 2003
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2003-0143.
More information:

Florian Heinz posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user "mail" group privileges and a shell on the system. Since the Qvsnprintf function is used elsewhere in qpopper, additional exploits may be possible.

The qpopper package in Debian 2.2 (potato) does not include the vulnerable snprintf implementation. For Debian 3.0 (woody) an updated package is available in version 4.0.4-2.woody.3. Users running an unreleased version of Debian should upgrade to 4.0.4-9 or newer. We recommend you upgrade your qpopper package immediately.

Fixed in:

Debian GNU/Linux 3.0 (stable)

alpha (DEC Alpha):
arm (ARM):
hppa (HP PA RISC):
i386 (Intel ia32):
ia64 (Intel ia64):
m68k (Motorola Mc680x0):
mips (MIPS (Big Endian)):
mipsel (MIPS (Little Endian)):
powerpc (PowerPC):
s390 (IBM S/390):
sparc (Sun SPARC/UltraSPARC):

MD5 checksums of the listed files are available in the original advisory.