Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 212336 (CVE-2008-1199)

Summary: net-mail/dovecot <1.0.13-r1 mail_extra_groups might lead to file disclosure (CVE-2008-1199)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-mail+disabled, wschlich
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.mail.imap.dovecot/28176
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 213030    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 00:43:21 UTC 
mail_extra_groups=mail is enabled by USE=mbox, but can also be enabled by users.
It might, however, lead to disclosure of local files with gid=mail.

Dovecot 1.0.11 and 1.1.rc2 fix this by introducing a new setting mail_privileged_group. Details at $URL, please also note the last mails about a "permission denied" error and the patch.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2008-03-07 06:02:37 UTC 
CC'ing wschlich.
Please add yourself to metadata.xml
Comment 2 Wolfram Schlich (RETIRED) gentoo-dev 2008-03-09 13:18:58 UTC 
1.0.11 and 1.1.rc2 are both in portage.
but as 1.0.13 and 1.1.rc3 have been released meanwhile and fix quite
some bugs, we should wait until those have made it into portage.
currently I'm waiting for the updates of the managesieve patch
(shouldn't take longer than 1 or 2 days I guess).
Comment 3 Wolfram Schlich (RETIRED) gentoo-dev 2008-03-10 10:09:28 UTC 
1.0.13 and 1.1_rc3 are now in portage.
feel free to test and mark stable.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-10 11:43:12 UTC 
Thanks.

Arches, please test and mark stable:
=net-mail/dovecot-1.0.13
Target keywords : "alpha amd64 ppc release sparc x86"
Comment 5 Wolfram Schlich (RETIRED) gentoo-dev 2008-03-11 16:27:23 UTC 
It might be worth trying to stable 1.0.13-r1 instead of 1.0.13... I added
a patch from the upstream mercurial repo that fixes a crash.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-12 07:49:55 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-03-12 15:38:11 UTC 
alpha/sparc stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2008-03-14 01:16:51 UTC 
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-14 08:08:42 UTC 
ppc stable
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2008-03-14 17:59:34 UTC 
Fixed in release snapshot.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-03-14 22:40:48 UTC 
Wolfram, I just realized the ebuild magic that auto-enabled mail_extra_groups was not adapted to handle the new mail_privileged_group setting.
Was that intentional? If not, and it might be disruptive for users with USE=mbox, we should re-stable a fixed version.
Comment 12 Wolfram Schlich (RETIRED) gentoo-dev 2008-03-18 09:51:07 UTC 
(In reply to comment #11)
> Wolfram, I just realized the ebuild magic that auto-enabled mail_extra_groups
> was not adapted to handle the new mail_privileged_group setting.
> Was that intentional? If not, and it might be disruptive for users with
> USE=mbox, we should re-stable a fixed version.

Sorry, I already fixed the stabled versions...

  15 Mar 2008; Wolfram Schlich <wschlich@gentoo.org>
  dovecot-1.0.13-r1.ebuild, dovecot-1.1_rc3-r1.ebuild:
  fix mail group setting (thanks to rbu)
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 12:17:18 UTC 
GLSA 200803-25