Vulnerabilities > CVE-2002-1090 - Unspecified vulnerability in Libesmtp

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
libesmtp
nessus

Summary

Buffer overflow in read_smtp_response of protocol.c in libesmtp before 0.8.11 allows a remote SMTP server to (1) execute arbitrary code via a certain response or (2) cause a denial of service via long server responses.

Vulnerable Configurations

Part Description Count
Application
Libesmtp
1

Nessus

NASL familyRed Hat Local Security Checks
NASL idREDHAT-RHSA-2003-111.NASL
descriptionUpdated Balsa packages are available which fix potential vulnerabilities in the IMAP handling code and in libesmtp. Balsa is a GNOME email client which includes code from Mutt. A potential buffer overflow exists in Balsa versions 1.2 and higher when parsing mailbox names returned by an IMAP server. It is possible that a hostile IMAP server could cause arbitrary code to be executed by the user running Balsa. Additionally, a buffer overflow in libesmtp (an SMTP library used by Balsa) before version 0.8.11 allows a hostile remote SMTP server to execute arbitrary code via a certain response or cause a denial of service via long server responses. Users of Balsa are recommended to upgrade to these erratum packages which include updated versions of Balsa and libesmtp which are not vulnerable to these issues. Red Hat would like to thank CORE security for discovering the vulnerability, and the Mutt team for providing a patch.
last seen2020-06-01
modified2020-06-02
plugin id12382
published2004-07-06
reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/12382
titleRHEL 2.1 : balsa (RHSA-2003:111)
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2003:111. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(12382);
  script_version ("1.27");
  script_cvs_date("Date: 2019/10/25 13:36:10");

  script_cve_id("CVE-2002-1090", "CVE-2003-0140");
  script_xref(name:"RHSA", value:"2003:111");

  script_name(english:"RHEL 2.1 : balsa (RHSA-2003:111)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated Balsa packages are available which fix potential
vulnerabilities in the IMAP handling code and in libesmtp.

Balsa is a GNOME email client which includes code from Mutt.

A potential buffer overflow exists in Balsa versions 1.2 and higher
when parsing mailbox names returned by an IMAP server. It is possible
that a hostile IMAP server could cause arbitrary code to be executed
by the user running Balsa.

Additionally, a buffer overflow in libesmtp (an SMTP library used by
Balsa) before version 0.8.11 allows a hostile remote SMTP server to
execute arbitrary code via a certain response or cause a denial of
service via long server responses.

Users of Balsa are recommended to upgrade to these erratum packages
which include updated versions of Balsa and libesmtp which are not
vulnerable to these issues.

Red Hat would like to thank CORE security for discovering the
vulnerability, and the Mutt team for providing a patch."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2002-1090"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2003-0140"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2003:111"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected balsa, libesmtp and / or libesmtp-devel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:balsa");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libesmtp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libesmtp-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2003/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2003:111";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"balsa-1.2.4-7.7.2")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libesmtp-0.8.12-0.7.x")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libesmtp-devel-0.8.12-0.7.x")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "balsa / libesmtp / libesmtp-devel");
  }
}