pop2d (imapd)


    imapd4.4 and earlier


    Chris Evans found following.  This bug concerns the pop-2  daemon,
    which is a part of  the Washington University imap package.  pop-2
    and  pop-3  support  the  concept  of an "anonymous proxy" whereby
    remote users can connect and  open an imap mailbox on  _any server
    they  have  a  valid  account  on_.  An  attacker  connects to the
    vulnerable pop-2  port and  connects it  to an  imap server  under
    their control.   Once logged on,  issuing a "FOLD"  command with a
    long arg will cause an overflow of a stack based buffer.  The  arg
    to FOLD must be somewhere around 1000 bytes - not much bigger, not
    much smaller. Look at the source.


    The problem  has been  fixed for  a long  time.   RedHat-6.0 isn't
    vulnerable because imap-4.5 was shipped with it and he's safe.