ID CVE-2005-1520 Type cve Reporter cve@mitre.org Modified 2008-09-05T20:49:00
Description
Buffer overflow in the header_get_field_name function in header.c for GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via a crafted e-mail.
{"osvdb": [{"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Mailutils. The mail program fails to validate a buffer in the header_get_field_name() function resulting in a buffer overflow. With a specially crafted email message, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 0.6.90 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Mailutils. The mail program fails to validate a buffer in the header_get_field_name() function resulting in a buffer overflow. With a specially crafted email message, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.gnu.org/software/mailutils/mailutils.html\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200505-20.xml)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2005/dsa-732)\nSecurity Tracker: 1014052\n[Secunia Advisory ID:15442](https://secuniaresearch.flexerasoftware.com/advisories/15442/)\n[Related OSVDB ID: 16857](https://vulners.com/osvdb/OSVDB:16857)\n[Related OSVDB ID: 16855](https://vulners.com/osvdb/OSVDB:16855)\n[Related OSVDB ID: 16856](https://vulners.com/osvdb/OSVDB:16856)\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=249&type=vulnerabilities\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0579.html\nISS X-Force ID: 20722\n[CVE-2005-1520](https://vulners.com/cve/CVE-2005-1520)\nBugtraq ID: 13766\n", "modified": "2005-05-25T04:26:42", "published": "2005-05-25T04:26:42", "href": "https://vulners.com/osvdb/OSVDB:16854", "id": "OSVDB:16854", "type": "osvdb", "title": "GNU Mailutils Mail header_get_field_name() Function Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow\r\nVulnerability\r\n\r\niDEFENSE Security Advisory 05.25.05\r\nhttp://www.idefense.com/application/poi/display?type=vulnerabilities\r\nMay 25, 2005\r\n\r\nI. BACKGROUND\r\n\r\nThe GNU mailutils package is a collection of mail-related\r\nutilities, including local and remote mailbox access services.\r\nMore information is available at the following site:\r\n\r\n http://www.gnu.org/software/mailutils/mailutils.html\r\n\r\nII. DESCRIPTION\r\n\r\nExploitation of a buffer overflow vulnerability in the mail\r\nbinary of the GNU Projects Mailutils package may allow a remote\r\nattacker to execute commands with the privileges of the\r\ntargeted user.\r\n\r\nDue to a coding error in the library function\r\nheader_get_field_name() in mailbox/header.c, a buffer overflow\r\ncondition exists. The code below checks if the value of 'len' is\r\ngreater than the value of 'buflen', but always sets the value of\r\n'len' to be the same, effectively performing no instruction.\r\n\r\n len = (len > buflen) ? len : len;\r\n\r\nThis code will set 'len' to the value of 'buflen' if 'len' is\r\ngreater than 'buflen'. This typo allows the buffer overflow to\r\noccur. The code should be:\r\n\r\n len = (len > buflen) ? buflen : len;\r\n\r\nIII. ANALYSIS\r\n\r\nSuccessful exploitation of the vulnerability would allow an\r\nemail sent by a remote user to cause a buffer overflow, allowing\r\nexecution of arbitrary commands in the context of the targeted\r\nuser. Access to a user account may allow further escalation of\r\nprivileges via local attacks.\r\n\r\nIV. DETECTION\r\n\r\niDEFENSE Labs has verified the existence of this vulnerability\r\nin versions 0.5 and 0.6 of the GNU Mailutils package. It is\r\nsuspected that any previous versions may also be affected.\r\n\r\nIt should be noted that the mail command from the GNU mailutils\r\npackage is NOT the default mail client on the vast majority of\r\nLinux installations. The mailx mail client is by far much more\r\nlikely to be installed. The mailx mail client is typically\r\ninstalled in /bin/mail, whereas the GNU mailutils mail client is\r\ntypically installed in /usr/bin/mail. These values are not\r\nuniversal, and additional verification should be performed to\r\ndetermine which version you have installed.\r\n\r\nV. WORKAROUND\r\n\r\nWhen possible, run client software as a regular user with\r\nlimited access to system resources. This may limit the immediate\r\nconsequences of client-side vulnerabilities.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nThis vulnerability has been fixed in GNU mailutils 0.6.90 which is\r\navailable for download at:\r\n\r\n ftp://alpha.gnu.org/gnu/mailutils/\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CAN-2005-1520 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n05/12/2005 Initial vendor notification\r\n05/12/2005 Initial vendor response\r\n05/25/2005 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\ninfamous41md@hotpop.com is credited with the discovery of this\r\nvulnerability.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2005 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n", "modified": "2005-05-26T00:00:00", "published": "2005-05-26T00:00:00", "id": "SECURITYVULNS:DOC:8720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8720", "title": "iDEFENSE Security Advisory 05.25.05: GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:57", "bulletinFamily": "scanner", "description": "The remote host is missing an update to mailutils\nannounced via advisory DSA 732-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53561", "id": "OPENVAS:53561", "title": "Debian Security Advisory DSA 732-1 (mailutils)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_732_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 732-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"infamous41md discovered several vulnerabilities in the GNU mailutils\npackage which contains utilities for handling mail. These problems\ncan lead to a denial of service or the execution of arbitrary code.\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing vulnerabilities.\n\nCVE-2005-1520\n\nBuffer overflow mail header handling may allow a remote attacker\nto execute commands with the privileges of the targeted user.\n\nCVE-2005-1521\n\nCombined integer and heap overflow in the fetch routine can lead\nto the execution of arbitrary code.\n\nCVE-2005-1522\n\nDenial of service in the fetch routine.\n\nCVE-2005-1523\n\nFormat string vulnerability can lead to the execution of arbitrary\ncode.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 20020409-1woody2.\n\nFor the testing distribution (sarge) these problems have been fixed in\nversion 0.6.1-4.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 0.6.1-4.\n\nWe recommend that you upgrade your mailutils packages.\";\ntag_summary = \"The remote host is missing an update to mailutils\nannounced via advisory DSA 732-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20732-1\";\n\nif(description)\n{\n script_id(53561);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:00:53 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-1520\", \"CVE-2005-1521\", \"CVE-2005-1522\", \"CVE-2005-1523\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 732-1 (mailutils)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"mailutils-doc\", ver:\"20020409-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmailutils0\", ver:\"20020409-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmailutils0-dev\", ver:\"20020409-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mailutils\", ver:\"20020409-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mailutils-imap4d\", ver:\"20020409-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mailutils-pop3d\", ver:\"20020409-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:06", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200505-20.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54952", "id": "OPENVAS:54952", "title": "Gentoo Security Advisory GLSA 200505-20 (mailutils)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The imap4d server and the mail utility from GNU Mailutils contain multiple\nvulnerabilities, potentially allowing a remote attacker to execute\narbitrary code with root privileges.\";\ntag_solution = \"All GNU Mailutils users should upgrade to the latest available version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-mail/mailutils-0.6-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200505-20\nhttp://bugs.gentoo.org/show_bug.cgi?id=94053\nhttp://www.idefense.com/application/poi/display?type=vulnerabilities&showYear=2005\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200505-20.\";\n\n \n\nif(description)\n{\n script_id(54952);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2005-1520\", \"CVE-2005-1521\", \"CVE-2005-1522\", \"CVE-2005-1523\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200505-20 (mailutils)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-mail/mailutils\", unaffected: make_list(\"ge 0.6-r1\"), vulnerable: make_list(\"lt 0.6-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:36", "bulletinFamily": "scanner", "description": "'infamous41md' discovered several vulnerabilities in the GNU mailutils package which contains utilities for handling mail. These problems can lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities.\n\n - CAN-2005-1520 Buffer overflow mail header handling may allow a remote attacker to execute commands with the privileges of the targeted user.\n\n - CAN-2005-1521\n\n Combined integer and heap overflow in the fetch routine can lead to the execution of arbitrary code.\n\n - CAN-2005-1522\n\n Denial of service in the fetch routine.\n\n - CAN-2005-1523\n\n Format string vulnerability can lead to the execution of arbitrary code.", "modified": "2018-08-09T00:00:00", "id": "DEBIAN_DSA-732.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18519", "published": "2005-06-17T00:00:00", "title": "Debian DSA-732-1 : mailutils - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-732. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18519);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/08/09 17:06:36\");\n\n script_cve_id(\"CVE-2005-1520\", \"CVE-2005-1521\", \"CVE-2005-1522\", \"CVE-2005-1523\");\n script_xref(name:\"DSA\", value:\"732\");\n\n script_name(english:\"Debian DSA-732-1 : mailutils - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"'infamous41md' discovered several vulnerabilities in the GNU mailutils\npackage which contains utilities for handling mail. These problems can\nlead to a denial of service or the execution of arbitrary code. The\nCommon Vulnerabilities and Exposures project identifies the following\nvulnerabilities.\n\n - CAN-2005-1520\n Buffer overflow mail header handling may allow a remote\n attacker to execute commands with the privileges of the\n targeted user.\n\n - CAN-2005-1521\n\n Combined integer and heap overflow in the fetch routine\n can lead to the execution of arbitrary code.\n\n - CAN-2005-1522\n\n Denial of service in the fetch routine.\n\n - CAN-2005-1523\n\n Format string vulnerability can lead to the execution of\n arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-732\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mailutils packages.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 20020409-1woody2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mailutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/06/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"libmailutils0\", reference:\"20020409-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libmailutils0-dev\", reference:\"20020409-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"mailutils\", reference:\"20020409-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"mailutils-doc\", reference:\"20020409-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"mailutils-imap4d\", reference:\"20020409-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"mailutils-pop3d\", reference:\"20020409-1woody2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:34", "bulletinFamily": "scanner", "description": "GNU Mailutils is a collection of mail utilities, including an IMAP4 daemon, a POP3 daemon, and a very simple mail client. \n\nThe remote host is running a version of GNU Mailutils containing several critical flaws in its IMAP4 daemon and its mail client 'mail'. By exploiting these issues, a remote attacker can cause a denial of service in the IMAP4 daemon and execute code remotely, either in the context of a local user or the user executing the daemon process, typically root. \n\nIn addition, it may suffer from a SQL injection flaw if configured to work with MySQL or Postgres. An attacker may be able to exploit this flaw to modify database queries when mailutils tries to authenticate a user, leading to disclosure of sensitive information or modification of data.", "modified": "2018-11-15T00:00:00", "id": "GNU_MAILUTILS_060.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18371", "published": "2005-05-26T00:00:00", "title": "GNU Mailutils <= 0.6 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18371);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2005-1520\", \"CVE-2005-1521\", \"CVE-2005-1522\", \"CVE-2005-1523\", \"CVE-2005-1824\");\n script_bugtraq_id(13763, 13764, 13765, 13766, 13870);\n\n script_name(english:\"GNU Mailutils <= 0.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for multiple vulnerabilities in GNU Mailutils <= 0.6\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by multiple issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"GNU Mailutils is a collection of mail utilities, including an IMAP4\ndaemon, a POP3 daemon, and a very simple mail client. \n\nThe remote host is running a version of GNU Mailutils containing\nseveral critical flaws in its IMAP4 daemon and its mail client 'mail'. \nBy exploiting these issues, a remote attacker can cause a denial of\nservice in the IMAP4 daemon and execute code remotely, either in the\ncontext of a local user or the user executing the daemon process,\ntypically root. \n\nIn addition, it may suffer from a SQL injection flaw if configured to\nwork with MySQL or Postgres. An attacker may be able to exploit this\nflaw to modify database queries when mailutils tries to authenticate a\nuser, leading to disclosure of sensitive information or modification\nof data.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9dcd6edb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Jul/472\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to GNU Mailutils 0.6.90 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/05/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/05/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:mailutils\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_exclude_keys(\"imap/false_imap\", \"global_settings/supplied_logins_only\");\n script_require_keys(\"pop3/login\", \"pop3/password\", \"imap/login\", \"imap/password\");\n script_require_ports(\"Services/pop3\", 110, \"Services/imap\", 143);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\n# Check the IMAP daemon.\nport = get_kb_item(\"Services/imap\");\nif (!port) port = 143;\nif (get_port_state(port) && !get_kb_item(\"imap/false_imap\"))\n{\n # Establish a connection.\n tag = 0;\n soc = open_sock_tcp(port);\n if (soc)\n {\n # Read the banner.\n s = recv_line(socket:soc, length:1024);\n\n # If the banner suggests it's Mailutils...\n if (\"* OK IMAP4rev1\" >< s)\n {\n # If safe checks are enabled.\n if (safe_checks())\n {\n # We'll try to log in as a user and get the version\n # from a CAPABILITIES command.\n user = get_kb_item(\"imap/login\");\n pass = get_kb_item(\"imap/password\");\n if (user && pass)\n {\n # Try to log in.\n ++tag;\n c = string(\"a\", string(tag), \" LOGIN \", user, \" \", pass);\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024))\n {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^a\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m))\n {\n resp = m[1];\n break;\n }\n resp = \"\";\n }\n if (resp && resp =~ \"NO\")\n {\n debug_print(\"can't login with supplied imap credentials; skipped!\", level:1);\n }\n\n # If successful, issue an X-VERSION command.\n if (resp && resp =~ \"OK\")\n {\n ++tag;\n c = string(\"a\", string(tag), \" X-VERSION\");\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024))\n {\n s = chomp(s);\n if (s =~ \"^\\* X-VERSION GNU imap4d .+ 0\\.([0-5]|6(\\)|\\.[0-8]))\")\n {\n report = string(\n \"\\n\",\n \"Note that Nessus has determined the vulnerability exists on the\\n\",\n \"remote host simply by looking at the version number of the IMAP4\\n\",\n \"daemon installed there.\\n\"\n );\n security_hole(port:port, extra:report);\n\t\t set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); # ?\n }\n m = eregmatch(pattern:string(\"^a\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m))\n {\n resp = m[1];\n break;\n }\n resp = \"\";\n }\n }\n }\n else\n {\n debug_print(\"imap/login and/or imap/password are empty; skipped!\", level:1);\n }\n }\n # Safe checks are disabled; let's try to exploit the format string flaw.\n else\n {\n # This should just crash the child process handling our connection.\n c = string(\"%n%n%n%n%n \", SCRIPT_NAME);\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024))\n {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^a\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m))\n {\n resp = m[1];\n break;\n }\n resp = \"\";\n }\n\n # If we didn't get a response back, there's likely a problem.\n if (!strlen(s))\n {\n security_hole(port);\n\t set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n # nb: no need to close it.\n soc = NULL;\n }\n }\n\n # Be nice and logout if there's still a connection.\n if (soc)\n {\n ++tag;\n c = string(\"a\", string(tag), \" LOGOUT\");\n send(socket:soc, data:string(c, \"\\r\\n\"));\n close(soc);\n }\n }\n }\n}\n\n\n# And check the POP3 daemon too.\nport = get_service(svc:\"pop3\", default: 110, exit_on_fail: 1);\nif (! get_kb_item(\"pop3/\"+port+\"/false_pop3\"))\n{\n # Establish a connection.\n soc = open_sock_tcp(port);\n if (soc)\n {\n s = recv_line(socket:soc, length:1024);\n\n # If the banner suggests it's Mailutils...\n if (s =~ \"^\\+OK POP3 Ready <[0-9]+\\.[0-9]+@\")\n {\n user = get_kb_item(\"pop3/login\");\n pass = get_kb_item(\"pop3/password\");\n\n # Try to log in.\n if (user && pass)\n {\n c = string(\"USER \", user);\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024))\n {\n s = chomp(s);\n m = eregmatch(pattern:\"^(\\+OK|-ERR)( |$)\", string:s, icase:TRUE);\n if (!isnull(m))\n {\n resp = m[1];\n break;\n }\n resp = \"\";\n }\n if (resp && resp =~ \"OK\")\n {\n c = string(\"PASS \", pass);\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024))\n {\n s = chomp(s);\n m = eregmatch(pattern:\"^(\\+OK|-ERR)( |$)\", string:s, icase:TRUE);\n if (!isnull(m))\n {\n resp = m[1];\n break;\n }\n resp = \"\";\n }\n }\n if (resp && resp =~ \"ERR\")\n {\n debug_print(\"can't login with supplied pop3 credentials; skipped!\", level:1);\n }\n\n # The version is available through a CAPA command.\n if (resp && resp =~ \"OK\")\n {\n c = string(\"CAPA\");\n send(socket:soc, data:string(c, \"\\r\\n\"));\n caps = \"\";\n s = recv_line(socket:soc, length:1024);\n s = chomp(s);\n if (s =~ \"^\\+OK( |$)\")\n {\n while (s = recv_line(socket:soc, length:1024))\n {\n s = chomp(s);\n if (s =~ \"^\\.$\") break;\n caps = string(caps, s, \"\\n\");\n }\n }\n # Check whether the version number indicates a problem.\n if (\n egrep(\n string:caps, \n pattern:\"IMPLEMENTATION GNU Mailutils 0\\.([0-5]|6($|\\.[0-8]))\",\n icase:TRUE\n )\n )\n {\n report = string(\n \"\\n\",\n \"Note that Nessus has determined the vulnerability exists on the\\n\",\n \"remote host simply by looking at the version number of the POP3\\n\",\n \"daemon installed there.\\n\"\n );\n security_hole(port:port, extra:report);\n\t set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); # ?\n }\n }\n }\n else\n {\n debug_print(\"pop3/login and/or pop3/password are empty; skipped!\", level:1);\n }\n }\n\n # Let's be nice and logout.\n c = \"QUIT\";\n send(socket:soc, data:string(c, \"\\r\\n\"));\n\n # And close the socket.\n close(soc);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:34", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200505-20 (Mailutils: Multiple vulnerabilities in imap4d and mail)\n\n infamous41d discovered several vulnerabilities in GNU Mailutils.\n imap4d does not correctly implement formatted printing of command tags (CAN-2005-1523), fails to validate the range sequence of the 'FETCH' command (CAN-2005-1522), and contains an integer overflow in the 'fetch_io' routine (CAN-2005-1521). mail contains a buffer overflow in 'header_get_field_name()' (CAN-2005-1520).\n Impact :\n\n A remote attacker can exploit the format string and integer overflow in imap4d to execute arbitrary code as the imap4d user, which is usually root. By sending a specially crafted email message, a remote attacker could exploit the buffer overflow in the 'mail' utility to execute arbitrary code with the rights of the user running mail.\n Finally, a remote attacker can also trigger a Denial of Service by sending a malicious FETCH command to an affected imap4d, causing excessive resource consumption.\n Workaround :\n\n There are no known workarounds at this time.", "modified": "2018-08-10T00:00:00", "id": "GENTOO_GLSA-200505-20.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18384", "published": "2005-05-28T00:00:00", "title": "GLSA-200505-20 : Mailutils: Multiple vulnerabilities in imap4d and mail", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200505-20.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18384);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/08/10 18:07:06\");\n\n script_cve_id(\"CVE-2005-1520\", \"CVE-2005-1521\", \"CVE-2005-1522\", \"CVE-2005-1523\");\n script_xref(name:\"GLSA\", value:\"200505-20\");\n\n script_name(english:\"GLSA-200505-20 : Mailutils: Multiple vulnerabilities in imap4d and mail\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200505-20\n(Mailutils: Multiple vulnerabilities in imap4d and mail)\n\n infamous41d discovered several vulnerabilities in GNU Mailutils.\n imap4d does not correctly implement formatted printing of command tags\n (CAN-2005-1523), fails to validate the range sequence of the 'FETCH'\n command (CAN-2005-1522), and contains an integer overflow in the\n 'fetch_io' routine (CAN-2005-1521). mail contains a buffer overflow in\n 'header_get_field_name()' (CAN-2005-1520).\n \nImpact :\n\n A remote attacker can exploit the format string and integer\n overflow in imap4d to execute arbitrary code as the imap4d user, which\n is usually root. By sending a specially crafted email message, a remote\n attacker could exploit the buffer overflow in the 'mail' utility to\n execute arbitrary code with the rights of the user running mail.\n Finally, a remote attacker can also trigger a Denial of Service by\n sending a malicious FETCH command to an affected imap4d, causing\n excessive resource consumption.\n \nWorkaround :\n\n There are no known workarounds at this time.\"\n );\n # http://www.idefense.com/application/poi/display?id=249&type=vulnerabilities\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?25ab4cb8\"\n );\n # http://www.idefense.com/application/poi/display?id=248&type=vulnerabilities\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d6033f90\"\n );\n # http://www.idefense.com/application/poi/display?id=247&type=vulnerabilities\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ceebb2fd\"\n );\n # http://www.idefense.com/application/poi/display?id=246&type=vulnerabilities\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f7b7be14\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200505-20\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All GNU Mailutils users should upgrade to the latest available\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-mail/mailutils-0.6-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mailutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/05/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/05/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-mail/mailutils\", unaffected:make_list(\"ge 0.6-r1\"), vulnerable:make_list(\"lt 0.6-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Mailutils\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:21:22", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 732-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJune 3rd, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : mailutils\nVulnerability : several\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2005-1520 CAN-2005-1521 CAN-2005-1522 CAN-2005-1523\n\n"infamous41md" discovered several vulnerabilities in the GNU mailutils\npackage which contains utilities for handling mail. These problems\ncan lead to a denial of service or the execution of arbitrary code.\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing vulnerabilities.\n\nCAN-2005-1520\n\n Buffer overflow mail header handling may allow a remote attacker\n to execute commands with the privileges of the targeted user.\n\nCAN-2005-1521\n\n Combined integer and heap overflow in the fetch routine can lead\n to the execution of arbitrary code.\n\nCAN-2005-1522\n\n Denial of service in the fetch routine.\n\nCAN-2005-1523\n\n Format string vulnerability can lead to the execution of arbitrary\n code.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 20020409-1woody2.\n\nFor the testing distribution (sarge) these problems have been fixed in\nversion 0.6.1-4.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 0.6.1-4.\n\nWe recommend that you upgrade your mailutils packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2.dsc\n Size/MD5 checksum: 697 ddb16985d00bf55795157d952875393d\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2.tar.gz\n Size/MD5 checksum: 1497824 212b3ad37c1614fd5bba9640d47be76c\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-doc_20020409-1woody2_all.deb\n Size/MD5 checksum: 58670 d890abeef935e595f6b06b2f773f57d4\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_alpha.deb\n Size/MD5 checksum: 135230 c588ed776322a6c29f3eb46da96aecb3\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_alpha.deb\n Size/MD5 checksum: 192258 a2230693059806c0ca2bce24d04207ab\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_alpha.deb\n Size/MD5 checksum: 148854 8f9815529106a45f1f9f07f5147726b1\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_alpha.deb\n Size/MD5 checksum: 50118 44fe84821aadb7e4b7bc8286797bf814\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_alpha.deb\n Size/MD5 checksum: 35106 157475241ac197f5d40eccc1d77fa3ac\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_arm.deb\n Size/MD5 checksum: 114426 c888648c94ad93b5300ea56ce4499a4f\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_arm.deb\n Size/MD5 checksum: 147558 b7d065739350cbcbee5df6786910713b\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_arm.deb\n Size/MD5 checksum: 111070 bce055c195b225350f51e1d817b38a6b\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_arm.deb\n Size/MD5 checksum: 38604 721e4d0013c65155c8e2577fc8a87675\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_arm.deb\n Size/MD5 checksum: 27272 3c591ac6d6d82799db15517c2fdc3405\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_i386.deb\n Size/MD5 checksum: 113832 1acfdc0a7b2db619204144fd97564f43\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_i386.deb\n Size/MD5 checksum: 127762 818c7e8f7b9e906cebbfc6952d57ea34\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_i386.deb\n Size/MD5 checksum: 108108 df8f7f8658f84723e44dbdcdc8c14bb9\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_i386.deb\n Size/MD5 checksum: 38094 44e7da3c148b1749eede57489e6d19f6\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_i386.deb\n Size/MD5 checksum: 27472 7bd76da97e358fee9269aefc7fba1488\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_ia64.deb\n Size/MD5 checksum: 186092 0abedbb1a941364892e2a6ed27b2d0ba\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_ia64.deb\n Size/MD5 checksum: 219532 f474d60ff049f2ec5624d64c79d87e49\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_ia64.deb\n Size/MD5 checksum: 183254 eff5007d14e9da7404ea9db8d9dbb21d\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_ia64.deb\n Size/MD5 checksum: 61820 eca79d1b7f2885a6d3ec7b9c644e83de\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_ia64.deb\n Size/MD5 checksum: 42586 1e64d4766caf76f496dd6a88e033654b\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_hppa.deb\n Size/MD5 checksum: 142704 c359f51cf1042017481abbc9a63b12bb\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_hppa.deb\n Size/MD5 checksum: 171234 10f95329672f94dd3021b25dcbed602c\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_hppa.deb\n Size/MD5 checksum: 133484 a3df045a3955fd01a183203e13f518ad\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_hppa.deb\n Size/MD5 checksum: 45208 be29e8a3047203725c324da1db1b84cc\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_hppa.deb\n Size/MD5 checksum: 31826 bc399e6400d2ca70f41c934163c87966\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_m68k.deb\n Size/MD5 checksum: 108930 8331800f6c68b249cef1ff20508d9eaf\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_m68k.deb\n Size/MD5 checksum: 121470 ed82976e6953df807c4858aa0d0e63ca\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_m68k.deb\n Size/MD5 checksum: 101954 54b3c72e0904c8b0d5c67c97052a502f\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_m68k.deb\n Size/MD5 checksum: 36596 375563164bd1474b5257603f0f2f0849\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_m68k.deb\n Size/MD5 checksum: 26334 06cedc01ebaef7934d989005a1ef8c01\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_mips.deb\n Size/MD5 checksum: 118376 8a5e60eb796cd321db55315715a390bf\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_mips.deb\n Size/MD5 checksum: 164232 1e8c0336f1d8426a980c304eb471278a\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_mips.deb\n Size/MD5 checksum: 130550 8db76fe33938664bfc1e794634c8ced8\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_mips.deb\n Size/MD5 checksum: 43320 db0d7eaf76798e042f05739ce1972bc6\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_mips.deb\n Size/MD5 checksum: 30766 6ea46afe66030ade6bf3886782f7f702\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_mipsel.deb\n Size/MD5 checksum: 118270 724563b138795936a42b7ab923934e37\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_mipsel.deb\n Size/MD5 checksum: 164028 ae6c3734da9c030b038e0c4078dac8df\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_mipsel.deb\n Size/MD5 checksum: 129862 9547d79eb3313a3308ed64c43d0a66ec\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_mipsel.deb\n Size/MD5 checksum: 43166 58a36c264f0f81c1cb38829f8ecc9481\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_mipsel.deb\n Size/MD5 checksum: 30640 8ebea6878b4ca879f9e6d685b9264838\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_powerpc.deb\n Size/MD5 checksum: 117908 524458b456accd1351df1541208832b5\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_powerpc.deb\n Size/MD5 checksum: 145288 ab1412cc98dc973ccd95f70d3eeed964\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_powerpc.deb\n Size/MD5 checksum: 115414 c51d2a7401341271e2fb487ddb2b06e1\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_powerpc.deb\n Size/MD5 checksum: 39726 a58eb1c4cd38e1f38c923cce1be6d940\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_powerpc.deb\n Size/MD5 checksum: 27510 d2139b76674771e491b1d8b848e509dc\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_s390.deb\n Size/MD5 checksum: 120022 08083b0ee8b67e2272a3291e7ea119d2\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_s390.deb\n Size/MD5 checksum: 134246 18692a22d388900b10ded752943cf81f\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_s390.deb\n Size/MD5 checksum: 116228 5ac2e029b1f0ad2b38bf6dfe33917c4c\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_s390.deb\n Size/MD5 checksum: 40670 78a66eac5fa65a851e2a4dcc55223711\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_s390.deb\n Size/MD5 checksum: 29092 e89800e02233e9320c2a435a523ce61c\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0_20020409-1woody2_sparc.deb\n Size/MD5 checksum: 116480 f0a60c012d07732f347832cd1690057c\n http://security.debian.org/pool/updates/main/m/mailutils/libmailutils0-dev_20020409-1woody2_sparc.deb\n Size/MD5 checksum: 134090 448dc2ecdd77ec59f32c8ec2c55ce475\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils_20020409-1woody2_sparc.deb\n Size/MD5 checksum: 116186 2e906c7abe3b8f56ab526367a84a240a\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-imap4d_20020409-1woody2_sparc.deb\n Size/MD5 checksum: 38558 0f8116d72038ad6e59a20eced9f5f7a6\n http://security.debian.org/pool/updates/main/m/mailutils/mailutils-pop3d_20020409-1woody2_sparc.deb\n Size/MD5 checksum: 28822 7bd3fff94c5a3cff6678c46e47b0f7cf\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2005-06-03T00:00:00", "published": "2005-06-03T00:00:00", "id": "DEBIAN:DSA-732-1:F5017", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00116.html", "title": "[SECURITY] [DSA 732-1] New mailutils packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:57", "bulletinFamily": "unix", "description": "### Background\n\nGNU Mailutils is a collection of mail-related utilities, including an IMAP4 server (imap4d) and a Mail User Agent (mail). \n\n### Description\n\ninfamous41d discovered several vulnerabilities in GNU Mailutils. imap4d does not correctly implement formatted printing of command tags (CAN-2005-1523), fails to validate the range sequence of the \"FETCH\" command (CAN-2005-1522), and contains an integer overflow in the \"fetch_io\" routine (CAN-2005-1521). mail contains a buffer overflow in \"header_get_field_name()\" (CAN-2005-1520). \n\n### Impact\n\nA remote attacker can exploit the format string and integer overflow in imap4d to execute arbitrary code as the imap4d user, which is usually root. By sending a specially crafted email message, a remote attacker could exploit the buffer overflow in the \"mail\" utility to execute arbitrary code with the rights of the user running mail. Finally, a remote attacker can also trigger a Denial of Service by sending a malicious FETCH command to an affected imap4d, causing excessive resource consumption. \n\n### Workaround\n\nThere are no known workarounds at this time. \n\n### Resolution\n\nAll GNU Mailutils users should upgrade to the latest available version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-mail/mailutils-0.6-r1\"", "modified": "2005-05-27T00:00:00", "published": "2005-05-27T00:00:00", "id": "GLSA-200505-20", "href": "https://security.gentoo.org/glsa/200505-20", "type": "gentoo", "title": "Mailutils: Multiple vulnerabilities in imap4d and mail", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
