First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 212336
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 212336 depends on: Show dependency tree
Bug 212336 blocks: 213030

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-05 00:43 0000 
mail_extra_groups=mail is enabled by USE=mbox, but can also be enabled by
users.
It might, however, lead to disclosure of local files with gid=mail.

Dovecot 1.0.11 and 1.1.rc2 fix this by introducing a new setting
mail_privileged_group. Details at $URL, please also note the last mails about a
"permission denied" error and the patch.

------- Comment #1 From Torsten Veller 2008-03-07 06:02:37 0000 ------- 
CC'ing wschlich.
Please add yourself to metadata.xml

------- Comment #2 From Wolfram Schlich 2008-03-09 13:18:58 0000 ------- 
1.0.11 and 1.1.rc2 are both in portage.
but as 1.0.13 and 1.1.rc3 have been released meanwhile and fix quite
some bugs, we should wait until those have made it into portage.
currently I'm waiting for the updates of the managesieve patch
(shouldn't take longer than 1 or 2 days I guess).

------- Comment #3 From Wolfram Schlich 2008-03-10 10:09:28 0000 ------- 
1.0.13 and 1.1_rc3 are now in portage.
feel free to test and mark stable.

------- Comment #4 From Robert Buchholz 2008-03-10 11:43:12 0000 ------- 
Thanks.

Arches, please test and mark stable:
=net-mail/dovecot-1.0.13
Target keywords : "alpha amd64 ppc release sparc x86"

------- Comment #5 From Wolfram Schlich 2008-03-11 16:27:23 0000 ------- 
It might be worth trying to stable 1.0.13-r1 instead of 1.0.13... I added
a patch from the upstream mercurial repo that fixes a crash.

------- Comment #6 From Christian Faulhammer 2008-03-12 07:49:55 0000 ------- 
x86 stable

------- Comment #7 From Raúl Porcel 2008-03-12 15:38:11 0000 ------- 
alpha/sparc stable

------- Comment #8 From Steve Dibb 2008-03-14 01:16:51 0000 ------- 
amd64 stable

------- Comment #9 From Tobias Scherbaum 2008-03-14 08:08:42 0000 ------- 
ppc stable

------- Comment #10 From Peter Volkov 2008-03-14 17:59:34 0000 ------- 
Fixed in release snapshot.

------- Comment #11 From Robert Buchholz 2008-03-14 22:40:48 0000 ------- 
Wolfram, I just realized the ebuild magic that auto-enabled mail_extra_groups
was not adapted to handle the new mail_privileged_group setting.
Was that intentional? If not, and it might be disruptive for users with
USE=mbox, we should re-stable a fixed version.

------- Comment #12 From Wolfram Schlich 2008-03-18 09:51:07 0000 ------- 
(In reply to comment #11)
> Wolfram, I just realized the ebuild magic that auto-enabled mail_extra_groups
> was not adapted to handle the new mail_privileged_group setting.
> Was that intentional? If not, and it might be disruptive for users with
> USE=mbox, we should re-stable a fixed version.

Sorry, I already fixed the stabled versions...

  15 Mar 2008; Wolfram Schlich <wschlich@gentoo.org>
  dovecot-1.0.13-r1.ebuild, dovecot-1.1_rc3-r1.ebuild:
  fix mail group setting (thanks to rbu)

------- Comment #13 From Robert Buchholz 2008-03-18 12:17:18 0000 ------- 
GLSA 200803-25
First Last Prev Next    No search results available      Search page      Enter new bug