Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203731 (CVE-2007-6598) - net-mail/dovecot < 1.0.10 LDAP/auth cache may mix up user logins (CVE-2007-6598)
Summary: net-mail/dovecot < 1.0.10 LDAP/auth cache may mix up user logins (CVE-2007-6598)
Status: RESOLVED FIXED
Alias: CVE-2007-6598
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://dovecot.org/list/dovecot/2007-...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: 201686
  Show dependency tree
 
Reported: 2007-12-30 00:37 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-22 11:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 00:37:30 UTC
Dovecot allows users to login as other users when the two use the same password when LDAP+auth cache is enabled under some circumstances.

Fixed in 1.0.10, patch here:
http://hg.dovecot.org/dovecot-1.0/raw-rev/2cedab21cd6d

Wolfram, according to upstream this vulnerability was introduced in "v1.0.rc11", so our current stable is affected. Is 1.0.10 good to go stable or would you advise to patch 1.0.5?
Comment 1 Lubomir Rintel 2008-01-02 14:21:04 UTC
Is this really a security issue? When an user knows another user's password is the same as his one, he can login as himself even without a security flaw -- can't he?
Comment 2 Wolfram Schlich (RETIRED) gentoo-dev 2008-01-02 21:26:36 UTC
(In reply to comment #0)
> Is 1.0.10 good to go stable or would you advise to patch 1.0.5?

Well, I can only say I haven't experienced any issues with
1.0.10 so far and as quite some functional bugs have been
fixed since 1.0.5, I'd rather prefer stabling 1.0.10.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-03 02:16:58 UTC
(In reply to comment #1)
> Is this really a security issue? When an user knows another user's password is
> the same as his one, he can login as himself even without a security flaw --
> can't he?

If the attack is targeted at a certain user, you are right. However, by setting a weak password for a user account, an attacker could try a brute-force all accounts (which are active, i.e. logged in within the last cache timeframe) with only one step. This could save some time when a large number of users is present on one system.
Besides that, it might disclose data to users who might not even be of bad intent.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-01-03 02:17:24 UTC
Arches, please test and mark stable net-mail/dovecot-1.0.10.
Target keywords : "alpha amd64 ppc sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-03 08:09:16 UTC
x86 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-06 18:21:41 UTC
ppc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-01-07 12:28:26 UTC
alpha/sparc stable
Comment 8 Peter Weller (RETIRED) gentoo-dev 2008-01-22 10:39:09 UTC
amd64 done.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-22 11:08:21 UTC
This one is ready for GLSA vote. I vote NO.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-22 11:10:45 UTC
voting NO too, and closing.