Some security issues and a vulnerability have been reported in Lotus Notes for Linux, which can be exploited by malicious, local users to gain escalated privileges or potentially by malicious people to compromise a user's system.
1) Files extracted from the installation kit archive are given world-writable permissions. This can be exploited to modify the installation kit and place malicious content, which is then later executed when the installer is run.
2) An error exists in setup.sh contained within the installation kit when setting permissions for the "installdata" binary. This can be exploited to replace the "installdata" file with a malicious binary, which is then later executed when setup.sh is run.
3) An error in the Lotus Notes client when processing specially-crafted SMTP responses can be exploited to crash the client or execute arbitrary code when a specific attachment is included in an SMTP message.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: IBM Lotus Notes Client Insecure File Permissions and SMTP Vulnerability
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.