IMAP Proxy: Format string vulnerabilities

2006.03.07
Credit: Thierry Carrez
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-2661
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200603-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: IMAP Proxy: Format string vulnerabilities Date: March 06, 2006 Bugs: #107679 ID: 200603-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Format string vulnerabilities in IMAP Proxy may lead to the execution of arbitrary code when connected to malicious IMAP servers. Background ========== IMAP Proxy (also known as up-imapproxy) proxies IMAP transactions between an IMAP client and an IMAP server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-mail/up-imapproxy < 1.2.4 >= 1.2.4 Description =========== Steve Kemp discovered two format string errors in IMAP Proxy. Impact ====== A remote attacker could design a malicious IMAP server and entice someone to connect to it using IMAP Proxy, resulting in the execution of arbitrary code with the rights of the victim user. Workaround ========== Only connect to trusted IMAP servers using IMAP Proxy. Resolution ========== All IMAP Proxy users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/up-imapproxy-1.2.4" References ========== [ 1 ] CVE-2005-2661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2661 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEDKUDvcL1obalX08RAi9RAJ9wYi81AFNqLhlAMM2ozIQTAt0/zQCdEDC3 MgSeAfz1sC3SXlEPmkbHJ/M= =d3D5 -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top