blob: 4d1325a2c1601e9b1b3a50bbe2c14a039e7a8140 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200611-15">
<title>qmailAdmin: Buffer overflow</title>
qmailAdmin is vulnerable to a buffer overflow that could lead to the remote
execution of arbitrary code.
<product type="ebuild">qmailadmin</product>
<announced>November 21, 2006</announced>
<revised>November 21, 2006: 01</revised>
<package name="net-mail/qmailadmin" auto="yes" arch="*">
<unaffected range="ge">1.2.10</unaffected>
<vulnerable range="lt">1.2.10</vulnerable>
qmailAdmin is a free software package that provides a web interface for
managing a qmail system with virtual domains.
qmailAdmin fails to properly handle the "PATH_INFO" variable in
qmailadmin.c. The PATH_INFO is a standard CGI environment variable
filled with user supplied data.
<impact type="high">
A remote attacker could exploit this vulnerability by sending
qmailAdmin a maliciously crafted URL that could lead to the execution
of arbitrary code with the permissions of the user running qmailAdmin.
There is no known workaround at this time.
All qmailAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-mail/qmailadmin-1.2.10&quot;</code>
<uri link="">CVE-2006-1141</uri>
<metadata tag="requester" timestamp="Wed, 15 Nov 2006 21:38:39 +0000">
<metadata tag="bugReady" timestamp="Wed, 15 Nov 2006 21:39:01 +0000">
<metadata tag="submitter" timestamp="Mon, 20 Nov 2006 08:53:09 +0000">