##############################################################################
#
#  Multiple Vulnerabilities in GNU Mailutils
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2005/05/27
#
#  $Revision: 1.5 $
#
#  $Log: os2a_Mailutils_600019.nasl,v $
#  Revision 1.5  2006/02/20 15:51:32  rdanford
#  invalid risk-factor lines
#
#  Revision 1.4  2006/02/20 12:19:05  hpavithra
#  Corrected all misspelled words
#
#  Revision 1.3  2006/02/06 11:24:12  hshreesha
#  changed close() to ssh_close_connection()
#
#  Revision 1.2  2005/11/04 06:23:10  shraddha
#  Added platform check for Linux.
#  Issue #332.
#
#  Revision 1.1  2005/06/22 10:53:11  bchandra
#  issue #332
#  Moved to production
#
#  Revision 1.5  2005/06/03 13:05:34  bchandra
#  Issue #0000332
#  Code format
#
#  Revision 1.4  2005/05/31 13:26:58  schandan
#  Issue #332
#
#  Revision 1.3  2005/05/31 13:16:22  schandan
#  Issue #332
#
#  Revision 1.2  2005/05/31 11:48:01  schandan
#  Issue #332
#
#  Revision 1.1  2005/05/31 07:32:42  schandan
#  Issue #332
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################

if(description)
{
 script_id(600019);
 script_cve_id("CAN-2005-1520", "CAN-2005-1521", "CAN-2005-1522", "CAN-2005-1523");
 script_copyright(english: "Copyright (C) 2005 OS2A");
 script_version("$Revision: 1.5 $");
 script_category(ACT_GATHER_INFO);
 script_family(english: "Red Hat Local Security Checks");

 name["english"] = "Multiple Vulnerabilities in GNU Mailutils";
 script_name(english: name["english"]);

 summary["english"] = "Check for vulnerable Mailutils version";
 script_summary(english: summary["english"]);

 desc["english"] = "

 Overview: 
 Multiple vulnerability in the GNU Projects Mailutils package may 
 allow a remote attacker to execute commands with the privileges of the 
 targeted user. The vulnerabilities are
 1.GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability
    - Due to a coding error in the library function 
 2.GNU Mailutils 0.6 imap4d fetch_io Heap overflow Vulnerability 
    - Integer overflow in fetch_io function of imapd server
 3.GNU Mailutils 0.6 imap4d FETCH Command Resource Consumption DoS 
   Vulnerability
    - While execution of fetch command in imap4d server
 4.GNU Mailutils 0.6 imap4d Format String Vulnerability
    - While handling command tag supplied by the remote user.
         

 Impact:
 1. Error in coding which leads to Buffer Overflow may allow a remote 
    attacker to execute commands in the Mail binary (Mailbox) 
 2. Integer overflow in fetch_io may allow an authenticated remote attacker to 
    execute arbitrary code 
 3. Error in handling FETCH command may allow an authenticated remote attacker 
    to perform a denial of service
 4. Format String issue while handling command tag may allow unauthenticated 
    attacker to execute arbitrary code
 
 References:
       http://www.securityfocus.com/bid/13763
       http://secunia.com/advisories/15442
       http://www.niscc.gov.uk/niscc/docs/br-20050527-00448.html

 Platform Affected: All Unix platforms.

 Affected Version: The existence of this vulnerability is in 
 versions 0.5 and 0.6 of the GNU Mailutils package and in 
 previous versions. Fixed in GNU Mailutils 0.6.90.

 Solution: Upgrade the Mailutils package to 0.6.90 -> Downloaded from 
 ftp://alpha.gnu.org/gnu/mailutils/mailutils-0.6.90.tar.gz

 Risk factor : Critical";

 script_description(english: desc["english"]);
 script_dependencies("find_service.nes", "ssh_settings.nasl",
                     "ssh_get_info.nasl");
 script_require_keys("Host/uname");
 exit(0);
}

include("ssh_func.inc");
include("lockdown_functions.inc");

host = get_kb_item("Host/uname");
if("Linux" >!< host){
        exit(0);
}

sock = ssh_login_or_reuse_connection();
if (sock)
{
	version = ssh_command(socket: sock, cmd: "mailutils-config -V", timeout: 60);
	ssh_close_connection();
	if(egrep(pattern: "(0\.([0-5][^0-9]\w*|6[^0-9.]\w*|6(\.[0-8][0-9]?[^0-9]\w*)))", string: version))
	{	
		security_hole(port: 22);
		exit(0);
	}
}