Debian 安全報告

DSA-197-1 courier -- 暫存器溢位

報告日期:
2002/11/15
受影響的軟體:
courier
可被襲擊:
參考的安全性資料庫:
在 Mitre's CVE 的目錄中: CVE-2002-1311.
更詳盡的資訊:

在 Courier sqwebmail 套件中發現一個問題。Courier sqwebmail 是一個 CGI 程式,能透過它取得本地端存取郵件的權限。這個程式啟動時,會在某種情形下來不及阻止不正確的存取權限,讓本地端使用者能透過 shell 執行 sqwebmail 檔並讀取本地端系統中的任何檔案。

這個問題已經在目前的穩定版 (woody) 的 0.37.3-2.3 版,及開發中版本 (sid) 的 0.40.0-1 版中修正。舊的穩定版 (potato) 不包含 Courier sqwebmail 套件。courier-ssl 套件也不會被影響到,因為它們不使用 sqwebmail 套件。

我們建議您即刻更新您的 sqwebmail 套件。

修改於:

Debian GNU/Linux 3.0 (woody)

來源:
http://security.debian.org/pool/updates/main/c/courier/courier_0.37.3-2.3.diff.gz
http://security.debian.org/pool/updates/main/c/courier/courier_0.37.3-2.3.dsc
http://security.debian.org/pool/updates/main/c/courier/courier_0.37.3.orig.tar.gz
與硬體無關的元件:
http://security.debian.org/pool/updates/main/c/courier/courier-doc_0.37.3-2.3_all.deb
Alpha:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.1_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_alpha.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_arm.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_ia64.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_ia64.deb
HP Precision:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_hppa.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_m68k.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_mips.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_mipsel.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_powerpc.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_s390.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_sparc.deb
http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_sparc.deb

列出的檔案的 MD5 檢查可以由 original advisory 取得。