133149 – net-mail/dovecot: Security hole with mboxes (CVE-2006-2414)

Bug 133149 - net-mail/dovecot: Security hole with mboxes (CVE-2006-2414)

Summary: net-mail/dovecot: Security hole with mboxes (CVE-2006-2414)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa] DerCorny
Keywords:

Depends on:
Blocks:

Reported:	2006-05-12 14:24 UTC by Jan Kundrát (RETIRED)
Modified:	2006-05-16 08:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Kundrát (RETIRED) gentoo-dev

2006-05-12 14:24:15 UTC

Fixed in 1.0-beta8:

"Fixed a security hole with mbox: "1 LIST .. *" command could list all directories and files under the mbox root directory, so if your mails were stored in eg. /var/mail/%u/ directory, the command would list everything under /var/mail."

http://dovecot.org/list/dovecot/2006-May/013385.html
http://dovecot.org/list/dovecot/2006-May/013386.html

Comment 1 Roy Marples (RETIRED) gentoo-dev

2006-05-12 14:53:50 UTC

I've been bumping dovecot of late - want me to put beta 8 in g2boojum to fix this?

Comment 2 Roy Marples (RETIRED) gentoo-dev

2006-05-12 15:18:45 UTC

I've quickly tested beta8 on my server - seems to work OK so I've put it in portage.

Comment 3 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-13 03:50:36 UTC

Dear arches, please test and mark 1.0_beta8 stable, thanks.

Comment 4 Krzysztof Pawlik (RETIRED) gentoo-dev

2006-05-13 05:19:43 UTC

Stable on x86.

Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev

2006-05-13 06:01:34 UTC

Dear security team, sparc stable.

Comment 6 Fernando J. Pereda (RETIRED) gentoo-dev

2006-05-13 10:30:14 UTC

Stable in the almighty Alpha Architecture!

Comment 7 Thomas Cort (RETIRED) gentoo-dev

2006-05-13 14:40:32 UTC

(In reply to comment #3)
> Dear arches, please test and mark 1.0_beta8 stable, thanks.

I talked with DerCorny on IRC and since amd64 doesn't have any versions of dovecot stable and the latest version is a "beta", we won't be marking this one stable. Please re-add us if people really do want amd64 to mark it stable.

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2006-05-14 09:53:30 UTC

ppc stable

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2006-05-14 10:03:40 UTC

Voting no, I fail to see the big security impact

Comment 10 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-14 11:50:00 UTC

yet another no

Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-14 15:09:36 UTC

another no

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-14 22:38:23 UTC

Closing without GLSA.