Gentoo: uw-imapd buffer overflow vulnerability
Posted by LinuxSecurity.com Team   
Gentoo UW-imapd can also act as IMAP client, allowing user to connect to specified server. It is disabled for anonymous users, but allowed for everyone else.

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200305-12
- - - ---------------------------------------------------------------------

          PACKAGE : uw-imapd
          SUMMARY : buffer overflow
             DATE : 2003-06-01 11:54 UTC
          EXPLOIT : remote
VERSIONS AFFECTED : =uw-imapd-2002d
              CVE : 

- - - ---------------------------------------------------------------------

- From advisory:

"UW-imapd can also act as IMAP client, allowing user to connect to specified
server. It is disabled for anonymous users, but allowed for everyone else
(even with closedBox, blackBox or restrictBox enabled). So exploiting it
could give you access to the system as the logged in user."

Read the full advisory at: 
http://marc.theaimsgroup.com/?l=bugtraq&m=105294024124163&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/uw-imapd upgrade to uw-imapd-2002d as follows

emerge sync
emerge uw-imapd
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at  http://cvs.gentoo.org/~aliz
prez@gentoo.org
- - - ---------------------------------------------------------------------