Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 293954 (CVE-2009-3897)

Summary: <net-mail/dovecot-1.2.8 Information Disclosure (CVE-2009-3897)
Product: Gentoo Security Reporter: Alexander Stoll <technoworx>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: betelgeuse, bugs+gentoo, dabbott, jochen+gentoo-bugs, ole+gentoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 289885, 314533    
Bug Blocks:    
Attachments:
Description Flags
dovecot.patch none

Description Alexander Stoll 2009-11-21 13:30:24 UTC
Upstream has released new version 1.2.8 which is flagged as a security release fixing a vulnerability for all 1.2 releases which allows local users logging in as other users...

Bump should be trivial.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:25:46 UTC
CVE-2009-3897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897):
  Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of
  certain directories at installation time, which allows local users to
  access arbitrary user accounts by replacing the auth socket, related
  to the parent directories of the base_dir directory, and possibly the
  base_dir directory itself.

Comment 2 William Hubbs gentoo-dev 2009-12-02 21:27:20 UTC
Created attachment 211822 [details]
dovecot.patch

Here is a patch which should be applied when you do the version bump that does
a couple of things.

It will fix mkcert.sh so that it installs the ssl certificate and key where
they need to be installed, and it fixes the ebuild to install the
documentation.
Comment 3 William Hubbs gentoo-dev 2009-12-02 22:20:00 UTC
All,

I have committed dovecot-1.2.8 to the tree.  There still needs to be some keywording done before we can take it to stable; I am updating the dependencies to reflect that.
Comment 4 Petteri R├Ąty (RETIRED) gentoo-dev 2010-03-07 12:17:38 UTC
We should get this security issue fixed in stable. net-mail/security: time to add arches?
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 15:19:10 UTC
Please wait, we need v1.2.11.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-14 17:01:51 UTC
bug 314533 handles the stabilization of a newer version. bug will be ready for glsa once that is done.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:32:05 UTC
(In reply to comment #6)
> bug 314533 handles the stabilization of a newer version. bug will be ready for
> glsa once that is done.
> 

Stabilization complete; adding to exiting GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:25:09 UTC
This issue was resolved and addressed in
 GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml
by GLSA coordinator Stefan Behte (craig).