Summary: | <net-mail/dovecot-1.2.8 Information Disclosure (CVE-2009-3897) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexander Stoll <technoworx> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | betelgeuse, bugs+gentoo, dabbott, jochen+gentoo-bugs, ole+gentoo | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.dovecot.org/list/dovecot-news/2009-November/000143.html | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 289885, 314533 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Alexander Stoll
2009-11-21 13:30:24 UTC
CVE-2009-3897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897): Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself. Created attachment 211822 [details]
dovecot.patch
Here is a patch which should be applied when you do the version bump that does
a couple of things.
It will fix mkcert.sh so that it installs the ssl certificate and key where
they need to be installed, and it fixes the ebuild to install the
documentation.
All, I have committed dovecot-1.2.8 to the tree. There still needs to be some keywording done before we can take it to stable; I am updating the dependencies to reflect that. We should get this security issue fixed in stable. net-mail/security: time to add arches? Please wait, we need v1.2.11. bug 314533 handles the stabilization of a newer version. bug will be ready for glsa once that is done. (In reply to comment #6) > bug 314533 handles the stabilization of a newer version. bug will be ready for > glsa once that is done. > Stabilization complete; adding to exiting GLSA request. This issue was resolved and addressed in GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml by GLSA coordinator Stefan Behte (craig). |