Package: courier Severity: important Tags: security I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt* *The courier package reported potential issues appended to this message. Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future. -- Silvio Cesare Deakin University ### Summary: ### maildrop CLONED_IN_SOURCE courier <unfixed> CVE-2010-0301 ### Reports by package: ### # Package courier may be vulnerable to the following issues: # CVE-2010-0301 # SUMMARY: main.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file. # # CVE-2010-0301 relates to a vulnerability in package maildrop. # The following source filenames are likely responsible: # main.c # # The following package clones are tracked in the embedded-code-copies # database. They have not been fixed. # maildrop CLONED_IN_SOURCE courier <unfixed> CVE-2010-0301
