Title: Jean-Yves Lefort Mail Notification Multiple Vulnerabilities
Severity: HIGH
Description:
Jean-Yves Lefort Mail Notification is a utility that notifies a user of new email.
Jean-Yves Lefort Mail Notification is reported prone to three security vulnerabilities.
The first issue that is reported is a remote denial of service vulnerability. The vulnerability presents itself due to a parsing error that is present in the Mail Notification 'soup_context_get()' function. A sufficient URI passed to the vulnerable function will result in a NULL return value; this may in turn lead to a null pointer dereference triggering a software crash.
A remote attacker may exploit this vulnerability to crash the affected software.
The second reported issue presents itself when a malicious IMAP server response is handled. It is reported that an out of context continuation response will trigger the vulnerability, resulting in a null pointer dereference.
An attacker that hosts a malicious IMAP server may exploit this vulnerability to crash affected software. An attack may also be accomplished by hijacking a legitimate IMAP connection.
Finally, Mail Notification is reported prone to a remote buffer overflow vulnerability. This issue presents itself due to a lack of sufficient boundary checks performed on POP3 STAT replies. Superfluous POP3 STAT reply data may corrupt stack-based memory adjacent to the affected buffer; this memory may contain values that are crucial in controlling program execution flow.
An attacker that hosts a malicious POP3 server may exploit this vulnerability to execute arbitrary code in the context of the user that is running the affected software. An attack may also be accomplished by hijacking a legitimate POP3 connection.
Affected Products:
- Jean-Yves Lefort Mail Notification 0.3.1
- Jean-Yves Lefort Mail Notification 0.3.2
- Jean-Yves Lefort Mail Notification 0.3.3
- Jean-Yves Lefort Mail Notification 0.3.4
- Jean-Yves Lefort Mail Notification 0.4.0
- Jean-Yves Lefort Mail Notification 0.5.0
- Jean-Yves Lefort Mail Notification 0.6.0
- Jean-Yves Lefort Mail Notification 0.6.1
- Jean-Yves Lefort Mail Notification 0.6.2
References:
- Jean-Yves Lefort: Mail Notification 0.7.0 (Default)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
