==============================================================================PTL: Prism Technologies, Ltd. http://www.prism.net/secure Netmanage ZPOP v1.1 August 24, 1998 ==============================================================================http://www.prism.net/secure/advisory/PTL.092498.ZPOP ------------------------------------------------------------------------------- === -Credit- ================================================================= Mark Dowd - markd@prism.net Michael Freeman - mikef@prism.net ============================================================================== Discovered: August 24, 1998 Released: September 1, 1998 Operating Systems tested on: Linux, Solaris 2.6/SPARC Information ----------- The ZPOP server daemon available from Netmanage contains multiple buffer overflows. Overflows are present upto and including the latest version (ZPOP 1.0 (patchlevel 60423dev) ). We do not believe that any systems ship ZPOP 1.0 by default. Impact ------ Remote users can compromise root access. Fix --- We have contacted NetManage about releasing a patch, please refer to their website for more information or remove 'zpop' from your system. No patches are available from us since source code is not available to the public. ------------------------------------------------------------------------------ Contact Information ------------------- E-Mail: secure@prism.net WWW: http://www.prism.net/secure FTP: ftp://ftp.prism.net PGP Key ------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0 mQGiBDWG6s0RBADbLW34n65UR7sRkm40AQCUtHNI4lly4+oQZdGZWgoLn7fMzk2W wxMxSsQLXyRgC4AkpKW5oFCk+iGQXNF3kaqOuv4d/AsCyB4a85Y6ugXhXi/4cek8 MoOZoKS0vi5mhGsqjt+lkVVA1MowzoKFDX41wT44SLG+hCq7JvQnA3rLtwCg//Ev u+H6MOccDiKB6Dv6lfkunysD/Rq2chNinZD0uS56MhhIyR1VjoxdiG1YLyQpkqCd gZKCTvfkf6yzvYurZXe1ymYJmPxItn93oWTbEQsSdNH0U5GMxwEsH3raj7mBUJtA d479XqWcvRfE1qQfxzMfF/xU8UOJQ3yU2DsJFgzlQqstxsl7pqo4952HaZPT+Qf5 bBsyBACx01eCqQAgwIH2nj07Um4qcogej88e5nGuKTtktYWtiA3wkzFtyDi6v2l5 ZXDEQPnDmxRmVPr2nAgtIhxw/ApAwkepp8dcxIL4Z26X3I0eUBPKzRY1y8mxbFw8 CuW3zrnve3jj1zVi/pB5qbqSyWGkUSp7v9RG6Kfvs+d/jQ61OLQhTWljaGFlbCBG cmVlbWFuIDxtaWtlZkBwcmlzbS5uZXQ+iQBLBBARAgALBQI1hurNBAsDAQIACgkQ ihIYjDz0olobqQCfULOQGG5he4HHoRP5srrxIKwYLMMAniWuob0Eh5gQCe6br3lk /3Zdp2H/uQINBDWG6s4QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr 5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4 XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/wIS4751YqFQ537 6RvTqal3jHL0pJX0waxaM4fp8MS6JenZ+cHFZ5m1z05J+k1lUfTnqZjGHveIQXYJ OgZe7JDMEkxJ2APzp6HsiO4//PZrv5fhxh/nHhNFI79M7EniIRT1+GNAbQlM0LSz 519cw7UrhInuKK3KrCu9CZMWvDArhcu20k96pIMZXANq8fGMtqPybUDkIAcHh/1w ZnIERzhNVvoo9VxmSglNHrfKt5qKTECQTz93Txckp910sZ2+OB7en2jPNl4wJ2Q+ Gm+fybtJIUCdtZnZX3Suvkvt25KKUSTNPms27DWtvEyeke5qreEBqOTkX/VeRY+I LqBQeCZPiQA/AwUYNYbqzooSGIw89KJaEQLV7QCg8dNTajMOPygJR4U4oj+Yvsr4 Ak8AnjGu49yAN2Rntz5Fnjc9yFL3LIAt =rAdO -----END PGP PUBLIC KEY BLOCK-----