Aviso de seguridad de Debian
DSA-728-2 qpopper -- olvido de liberar los privilegios
- Fecha del informe:
- 26 de may de 2005
- Paquetes afectados:
- qpopper
- Vulnerable:
- Sí
- Referencias a bases de datos de seguridad:
- En el diccionario CVE de Mitre: CVE-2005-1151, CVE-2005-1152.
- Información adicional:
-
Este aviso sólo hace referencia a los paquetes actualizados para Debian 3.0, alias woody. Para mayor información, a continuación se reproduce el aviso original:
Se han descubierto dos errores en qpopper, un servidor POP3 avanzado. El proyecto Common Vulnerabilities and Exposures identifica los siguientes problemas:
- CAN-2005-1151
Jens Steube descubrió que mientras se procesaban archivos locales que perteneciesen o fuesen proporcionados por un usuario normal, no se liberaban los privilegios, lo que podía conducir a la sobreescritura o a la creación de archivos arbitrarios como root.
- CAN-2005-1152
Los desarrolladores originales advirtieron que a qpopper se le podía engañar para que crease archivos que pudiera escribir el grupo o todos.
Para la distribución estable (woody), estos problemas se han corregido en la versión 4.0.4-2.woody.5.
Para la distribución en pruebas (sarge), estos problemas se han corregido en la versión 4.0.5-4sarge1.
Para la distribución inestable (sid), estos problemas se corregirán en la versión 4.0.5-4sarge1.
Le recomendamos que actualice el paquete qpopper·
- CAN-2005-1151
- Arreglado en:
-
Debian GNU/Linux 3.0 (woody)
- Fuentes:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.dsc
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.diff.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_sparc.deb
Debian GNU/Linux 3.1 (sarge)
- Fuentes:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.dsc
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.diff.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5.orig.tar.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_sparc.deb
Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.
Las sumas MD5 de los ficheros que se listan están disponibles en el aviso revisado.