[原文]qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org.
Vulnerabilities exist in a number of pop3 daemon implementations, having to do with their creation of lock files. Affected include Qualcomm's qpopper, and the popd included as part of the imap-4 rpm from RedHat. Lockfiles in both implementation are created with consistent local file names; the RedHat popd in /tmp, with a fairly random name (albeit consistent for a given user), and in the mail spool directory, with the user name prepended by a "." and appended with ".pop". Creation of either of these files will prevent the popd user from being able to establish a connection to retrieve their mail.
The FreeBSD port of imap-uw contains this vulnerability. It is not, however, included as a standard part of a FreeBSD install.