COMMAND

    popper & qpopper

SYSTEMS AFFECTED

    Systems running Qalcomm popper and qpopper

PROBLEM

    Dynamo found following.  Some versions of popper and qpopper  from
    qualcomm allow you to read  other peoples email.  There  are quite
    a  few  situations  in  which  you  need your mail spool directory
    chmodded 1777.   If you  have local  users on  a machine  with the
    mail  spool  directory,  they  can  create symbolic links from the
    temporary pop drop box to a file that they can read.

    To see if you're vulnerable:

        1) touch /tmp/lumpy; chmod 777 /tmp/lumpy
        2) ln -s /tmp/lumpy /var/mail/.luser.pop
        3) wait for them to check their email.
        4) while they are reading it from the pop server, look at  the
           file in the tmp dir.

SOLUTION

    Apparently it  is fixed  in the  newest version.   System  running
    QPOPPER 2.2 should  be safe since  even version 2.2  of qpopper is
    smart enough to know the  difference between a regular file  and a
    symbolic link.