Bug 213030 (CVE-2008-1218)

Summary:	net-mail/dovecot <1.0.13 Argument injection vulnerability (CVE-2008-1218)
Product:	Gentoo Security	Reporter:	Lars Hartmann <lars>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	net-mail+disabled, thoger
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1218
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	212336
Bug Blocks:

Description Lars Hartmann 2008-03-11 12:43:07 UTC

from the CVE:
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.

Solution:
Update to 1.0.13

Comment 1 Lars Hartmann 2008-03-11 12:45:13 UTC

maintainers - please provide an updated ebuild

Comment 2 Wolfram Schlich (RETIRED) gentoo-dev

2008-03-11 14:03:52 UTC

already in portage since 2008-03-10.

there is already another dovecot security bug open that involves
stabling =1.0.13: bug #212336

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-11 16:42:54 UTC

Thanks Wolfram. stabling is handled on bug #212336. since it's also C3, we can vote for GLSA for both bugs here. I tend to vote YES.

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev

2008-03-11 18:35:52 UTC

Voting YES as well and filing request.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-03-12 01:10:40 UTC

Pleaase not that the password issue never affected any stable ebuild and is should therefore not be considered for the GLSA.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-03-12 01:21:44 UTC

CVE-2008-1271 will be rejected as a dupe.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-03-18 12:17:25 UTC

GLSA 200803-25