GLSA-200505-17 : Qpopper: Multiple Vulnerabilities
High Nessus Plugin ID 18381
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200505-17 (Qpopper: Multiple Vulnerabilities)
Jens Steube discovered that Qpopper doesn't drop privileges to process local files from normal users (CAN-2005-1151). The upstream developers discovered that Qpopper can be forced to create group or world writeable files (CAN-2005-1152).
A malicious local attacker could exploit Qpopper to overwrite arbitrary files as root or create new files which are group or world writeable.
There is no known workaround at this time.
SolutionAll Qpopper users should upgrade to the latest available version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/qpopper-4.0.5-r3'