Bug 245316 (CVE-2008-4870)

Comment 1 Stefan Behte (RETIRED) 2008-11-02 19:54:26 UTC

We also leave that file world-readable.

Comment 2 Wolfram Schlich (RETIRED) 2008-11-03 17:25:43 UTC

fixed in 1.1.6-r1. thanks!

Comment 3 Stefan Behte (RETIRED) 2008-11-03 18:22:00 UTC

Arches, please test and mark stable.

I've installed 1.1.6-r1 and my dovecot.conf was still world readable.

Comment 5 Stefan Behte (RETIRED) 2008-11-03 19:25:03 UTC

For me, it's ok:
ls -l /etc/dovecot/dovecot.conf
-rw------- 1 root root 46584 Nov  3 20:21 /etc/dovecot/dovecot.conf

Comment 6 Markus Meier 2008-11-03 22:10:42 UTC

not fixed, too (was an upgrade from 1.1.6, probably portage doesn't do this right?). besides dovecot.conf doesn't seem to be replaced.

 # ls -l /etc/dovecot/
total 60
-rw-r--r-- 1 root root   410 Nov  3 22:07 dovecot-db-example.conf
-rw------- 1 root root  4883 Nov  3 22:07 dovecot-ldap.conf
-rw-r--r-- 1 root root 46637 Nov  2 00:54 dovecot.conf

Comment 7 Stefan Behte (RETIRED) 2008-11-03 22:24:01 UTC

I did a fresh install.
Didn't portage show up with a new dovecot.conf? I've got no time for tests right now.

Comment 8 Tobias Klausmann (RETIRED) 2008-11-08 20:52:35 UTC

Stable on alpha.

Comment 9 Robert Buchholz (RETIRED) 2008-11-27 16:50:57 UTC

wschlich, please advise on the status of this bug. Both Andreas and Markus claim this is not fixed in upgrade-scenarios.

Comment 10 Wolfram Schlich (RETIRED) 2008-11-28 08:16:43 UTC

Sorry, I've added some pkg_preinst() magic in 1.1.7.

Comment 11 Stefan Behte (RETIRED) 2008-11-28 12:23:24 UTC

Confirmed to work, thanks Wolfram.
Arches: Please test and mark stable:
'=net-mail/dovecot-1.1.7'

This patch broke getmail injection through dovecot's local delivery agent (/usr/libexec/dovecot/deliver), because it tries read dovecot.conf without root permission.

Obvious fix for me: usr /usr/sbin/sendmail -G -i -t

But now there's a big BUT...

recent dovecot suggests that dovecot.conf is world-readable and one should put ssl_key_password in an EXTRA file (permission 0600) and to include_try that.
Now we see one possible reasoning for that suggestion.

Comment 13 Tobias Scherbaum (RETIRED) 2008-11-29 16:27:45 UTC

(In reply to comment #12)
> This patch broke getmail injection through dovecot's local delivery agent
> (/usr/libexec/dovecot/deliver), because it tries read dovecot.conf without root
> permission.
> 
> Obvious fix for me: usr /usr/sbin/sendmail -G -i -t
> 
> But now there's a big BUT...
> 
> recent dovecot suggests that dovecot.conf is world-readable and one should put
> ssl_key_password in an EXTRA file (permission 0600) and to include_try that.
> Now we see one possible reasoning for that suggestion.
> 

@Wolfram: please advise ...

Comment 14 Wolfram Schlich (RETIRED) 2008-11-29 20:35:34 UTC

Committed 1.1.7-r1:
Removed the code to forcibly change dovecot.conf permissions to 0600
and added a big fat warning to pkg_postinst().
That's it from my side.

Comment 15 Markus Meier 2008-11-30 16:27:32 UTC

amd64/x86 stable

Comment 16 Tobias Scherbaum (RETIRED) 2008-12-06 18:58:42 UTC

ppc stable

Comment 17 Raúl Porcel (RETIRED) 2008-12-08 16:37:13 UTC

alpha/sparc stable

Comment 18 Tobias Heinlein (RETIRED) 2008-12-15 13:55:13 UTC

GLSA 200812-16, thanks everyone, sorry about the delay.