SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#125776

Multiple buffer overflows in Mozilla POP3 protocol handler

Overview

There are multiple buffer overflow vulnerabilities in the Mozilla POP3 protocol handler that could allow a remote attacker to execute arbitrary code.

I. Description

Post Office Protocol Version 3 (POP3) is a mail protocol that provides a means for retrieving email from a remote server. The Mozilla mail client supports the POP3 protocol. There are multiple vulnerabilities in a number of functions used by the Mozilla POP3 protocol handler. The vulnerable functions include: FreeMsgInfo(), GetXtndXlstMsgid(), GetUidlList(), and GetList(). When processing POP3 responses, a specially crafted response could trigger a buffer overflow condition.

II. Impact

By sending a specially crafted POP3 response to an affected client, a remote attacker could cause the client to crash or potentially execute arbitrary code. Exploitation of this vulnerability would require a user to connect to a malicious POP3 server.

III. Solution

Upgrade

Upgrade as specified by your vendor. This issue has been resolved in Mozilla 1.7.3, Firefox Preview Release, and Thunderbird 0.8.

Systems Affected

VendorStatusDate Updated
MozillaVulnerable16-Sep-2004

References


http://bugzilla.mozilla.org/show_bug.cgi?id=245066
http://bugzilla.mozilla.org/show_bug.cgi?id=226669
http://secunia.com/advisories/12526/
http://www.securitytracker.com/alerts/2004/Sep/1011317.html
http://www.securitytracker.com/alerts/2004/Sep/1011318.html

Credit

This vulnerability was reported by Gael Delalleau.

This document was written by Damon Morda.

Other Information

Date Public05/29/2004
Date First Published09/17/2004 02:07:12 PM
Date Last Updated09/17/2004
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric28.69
Document Revision12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader