FTA zlib plugin allows opening gzipped mboxes as read-only mailboxes. However when using it, the mailbox name checks are bypassed so it's possible to open for example "../otheruser/somefile.gz". Only valid gzipped mbox files can be opened, and only if their name ends with ".gz". You can fix this by upgrading to v1.0.rc29 (available soon) or with this patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html I don't think this matters much though. zlib plugin is rarely used, and those who do use it are probably using Dovecot with systems users (per-user UIDs), so the imap process wouldn't have access to other users' mbox files anyway. I found this problem when I was cleaning up the code in CVS HEAD. -------------------------------------------------------------------------- I've added dovecot-1.0_rc29 to portage. This should not affect us by default as 1, we don't use any plugins by default and 2, we use maildir as default.
Thx Roy. Arches please test and mark stable. Target keywords are: dovecot-1.0_rc28.ebuild:KEYWORDS="alpha amd64 ppc sparc x86 ~x86-fbsd"
(In reply to comment #1) > Thx Roy. > > Arches please test and mark stable. Target keywords are: > > dovecot-1.0_rc28.ebuild:KEYWORDS="alpha amd64 ppc sparc x86 ~x86-fbsd" > Um, _rc29 is the one with the security fix. x86 stable
ppc stable
alpha stable
sparc stable.
Stable on amd64
This one is ready for GLSA decision. I vote NO.
voting NO too.
Closing. Feel free to reopen if you disagree.
*** Bug 186225 has been marked as a duplicate of this bug. ***
