Gentoo Bug 213030 - net-mail/dovecot <1.0.13 Argument injection vulnerability (CVE-2008-1218)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	213030
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Lars Hartmann <lars@chaotika.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 213030 depends on:	212336		Show dependency tree
Bug 213030 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-11 12:43 0000

from the CVE:
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x
before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass
the password check via a password containing TAB characters, which are treated
as argument delimiters that enable the skip_password_check field to be
specified.

Solution:
Update to 1.0.13

------- Comment #1 From Lars Hartmann 2008-03-11 12:45:13 0000 -------

maintainers - please provide an updated ebuild

------- Comment #2 From Wolfram Schlich 2008-03-11 14:03:52 0000 -------

already in portage since 2008-03-10.

there is already another dovecot security bug open that involves
stabling =1.0.13: bug #212336

------- Comment #3 From Pierre-Yves Rofes 2008-03-11 16:42:54 0000 -------

Thanks Wolfram. stabling is handled on bug #212336. since it's also C3, we can
vote for GLSA for both bugs here. I tend to vote YES.

------- Comment #4 From Tobias Heinlein 2008-03-11 18:35:52 0000 -------

Voting YES as well and filing request.

------- Comment #5 From Robert Buchholz 2008-03-12 01:10:40 0000 -------

Pleaase not that the password issue never affected any stable ebuild and is
should therefore not be considered for the GLSA.

------- Comment #6 From Robert Buchholz 2008-03-12 01:21:44 0000 -------

CVE-2008-1271 will be rejected as a dupe.

------- Comment #7 From Robert Buchholz 2008-03-18 12:17:25 0000 -------

GLSA 200803-25

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 213030

net-mail/dovecot <1.0.13 Argument injection vulnerability (CVE-2008-1218)

Last modified: 2008-03-18 12:17:25 0000