|Summary:||<net-mail/dovecot-1.2.8 Information Disclosure (CVE-2009-3897)|
|Product:||Gentoo Security||Reporter:||Alexander Stoll <technoworx>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||betelgeuse, bugs+gentoo, dabbott, jochen+gentoo-bugs, ole+gentoo|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||289885, 314533|
Description Alexander Stoll 2009-11-21 13:30:24 UTC
Upstream has released new version 1.2.8 which is flagged as a security release fixing a vulnerability for all 1.2 releases which allows local users logging in as other users... Bump should be trivial. Reproducible: Always
Comment 1 Alex Legler (RETIRED) 2009-11-26 08:25:46 UTC
CVE-2009-3897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897): Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
Comment 2 William Hubbs 2009-12-02 21:27:20 UTC
Created attachment 211822 [details] dovecot.patch Here is a patch which should be applied when you do the version bump that does a couple of things. It will fix mkcert.sh so that it installs the ssl certificate and key where they need to be installed, and it fixes the ebuild to install the documentation.
Comment 3 William Hubbs 2009-12-02 22:20:00 UTC
All, I have committed dovecot-1.2.8 to the tree. There still needs to be some keywording done before we can take it to stable; I am updating the dependencies to reflect that.
Comment 4 Petteri Räty (RETIRED) 2010-03-07 12:17:38 UTC
We should get this security issue fixed in stable. net-mail/security: time to add arches?
Comment 5 Stefan Behte (RETIRED) 2010-04-10 15:19:10 UTC
Please wait, we need v1.2.11.
Comment 6 Alex Legler (RETIRED) 2010-07-14 17:01:51 UTC
bug 314533 handles the stabilization of a newer version. bug will be ready for glsa once that is done.
Comment 7 Tim Sammut (RETIRED) 2011-01-02 04:32:05 UTC
(In reply to comment #6) > bug 314533 handles the stabilization of a newer version. bug will be ready for > glsa once that is done. > Stabilization complete; adding to exiting GLSA request.
Comment 8 GLSAMaker/CVETool Bot 2011-10-10 20:25:09 UTC
This issue was resolved and addressed in GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml by GLSA coordinator Stefan Behte (craig).