Courier-IMAP: Remote execution of arbitrary code — GLSA 200704-18

A vulnerability has been discovered in Courier-IMAP allowing for remote code execution with root privileges.

Affected Packages

net-mail/courier-imap on all architectures
Affected versions < 4.0.6-r2
Unaffected versions >= 4.0.6-r2, < 4.0.0

Background

Courier-IMAP is an IMAP server which is part of the Courier mail system. It provides access only to maildirs.

Description

CJ Kucera has discovered that some Courier-IMAP scripts don't properly handle the XMAILDIR variable, allowing for shell command injection.

Impact

A remote attacker could send specially crafted login credentials to a Courier-IMAP server instance, possibly leading to remote code execution with root privileges.

Workaround

There is no known workaround at this time.

Resolution

All Courier-IMAP users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-mail/courier-imap-4.0.6-r2"

References

Release Date
April 22, 2007

Latest Revision
April 23, 2007: 02

Severity
high

Exploitable
remote

Bugzilla entries