Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293954 (CVE-2009-3897) - <net-mail/dovecot-1.2.8 Information Disclosure (CVE-2009-3897)
Summary: <net-mail/dovecot-1.2.8 Information Disclosure (CVE-2009-3897)
Status: RESOLVED FIXED
Alias: CVE-2009-3897
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.dovecot.org/list/dovecot-n...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 289885 CVE-2010-0745
Blocks:
  Show dependency tree
 
Reported: 2009-11-21 13:30 UTC by Alexander Stoll
Modified: 2011-10-10 20:25 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
dovecot.patch (dovecot.patch,2.31 KB, text/plain)
2009-12-02 21:27 UTC, William Hubbs 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Stoll 2009-11-21 13:30:24 UTC 
Upstream has released new version 1.2.8 which is flagged as a security release fixing a vulnerability for all 1.2 releases which allows local users logging in as other users...

Bump should be trivial.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:25:46 UTC 
CVE-2009-3897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897):
  Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of
  certain directories at installation time, which allows local users to
  access arbitrary user accounts by replacing the auth socket, related
  to the parent directories of the base_dir directory, and possibly the
  base_dir directory itself.
Comment 2 William Hubbs gentoo-dev 2009-12-02 21:27:20 UTC 
Created attachment 211822 [details]
dovecot.patch

Here is a patch which should be applied when you do the version bump that does
a couple of things.

It will fix mkcert.sh so that it installs the ssl certificate and key where
they need to be installed, and it fixes the ebuild to install the
documentation.
Comment 3 William Hubbs gentoo-dev 2009-12-02 22:20:00 UTC 
All,

I have committed dovecot-1.2.8 to the tree.  There still needs to be some keywording done before we can take it to stable; I am updating the dependencies to reflect that.
Comment 4 Petteri Räty (RETIRED) gentoo-dev 2010-03-07 12:17:38 UTC 
We should get this security issue fixed in stable. net-mail/security: time to add arches?
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 15:19:10 UTC 
Please wait, we need v1.2.11.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-14 17:01:51 UTC 
bug 314533 handles the stabilization of a newer version. bug will be ready for glsa once that is done.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:32:05 UTC 
(In reply to comment #6)
> bug 314533 handles the stabilization of a newer version. bug will be ready for
> glsa once that is done.
> 

Stabilization complete; adding to exiting GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:25:09 UTC 
This issue was resolved and addressed in
 GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml
by GLSA coordinator Stefan Behte (craig).