Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 286844 (CVE-2009-3235)

Summary: <=net-mail/dovecot-1.1.7-r1: Remote code execution in sieve plugin (CVE-2009-3235)
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bugs+gentoo, net-mail+disabled, patrick
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.dovecot.org/list/dovecot-news/2009-September/000135.html
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 285211, 314533    
Bug Blocks:    

Description Michael Orlitzky gentoo-dev 2009-09-28 20:35:52 UTC 
The author of Dovecot recently discovered a number of holes in the libsieve implementation of the Sieve protocol:

  http://www.dovecot.org/list/dovecot-news/2009-September/000135.html

The versions of Sieve distributed with the 1.1.x releases of Dovecot on Gentoo are vulnerable. This includes the only stable version.

Suggested fix: address bug #285211.

  http://bugs.gentoo.org/show_bug.cgi?id=285211

Alternately, it might be safe to just bump the version of Sieve from within the ebuilds.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-28 20:55:04 UTC 
Yes, our "sieve" wasn't patched.
Comment 2 Patrick Lauer gentoo-dev 2009-10-05 14:11:09 UTC 
+  05 Oct 2009; Patrick Lauer <patrick@gentoo.org> +dovecot-1.1.19.ebuild:
+  Bump for 1.1 series
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:53:39 UTC 
Arches, please test and mark stable:
=net-mail/dovecot-1.1.19
Target keywords : "alpha amd64 ppc sparc x86"

patrick, can you remove older ebuilds, when 1.1.19 is stable?
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-07 16:20:31 UTC 
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-07 21:29:32 UTC 
Stable on alpha.
Comment 6 Markus Meier gentoo-dev 2009-11-09 12:43:52 UTC 
amd64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-11-14 15:17:41 UTC 
sparc stable
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2009-12-29 17:40:16 UTC 
Marked ppc stable.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 15:16:08 UTC 
GLSA request filed.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-14 21:45:12 UTC 
glsa request filed
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-14 17:02:15 UTC 
waiting for 314533 wrt glsa...
Comment 12 Michael Orlitzky gentoo-dev 2011-03-28 19:54:53 UTC 
I think it's safe to close this now?
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-03-29 19:34:56 UTC 
No, it is not. The gentoo security team will close this bug after the GLSA was sent.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:25:05 UTC 
This issue was resolved and addressed in
 GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml
by GLSA coordinator Stefan Behte (craig).