Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213030 (CVE-2008-1218) - net-mail/dovecot <1.0.13 Argument injection vulnerability (CVE-2008-1218)
Summary: net-mail/dovecot <1.0.13 Argument injection vulnerability (CVE-2008-1218)
Alias: CVE-2008-1218
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on: CVE-2008-1199
  Show dependency tree
Reported: 2008-03-11 12:43 UTC by Lars Hartmann
Modified: 2008-03-18 12:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-03-11 12:43:07 UTC
from the CVE:
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.

Update to 1.0.13
Comment 1 Lars Hartmann 2008-03-11 12:45:13 UTC
maintainers - please provide an updated ebuild
Comment 2 Wolfram Schlich (RETIRED) gentoo-dev 2008-03-11 14:03:52 UTC
already in portage since 2008-03-10.

there is already another dovecot security bug open that involves
stabling =1.0.13: bug #212336
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 16:42:54 UTC
Thanks Wolfram. stabling is handled on bug #212336. since it's also C3, we can vote for GLSA for both bugs here. I tend to vote YES.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-11 18:35:52 UTC
Voting YES as well and filing request.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-12 01:10:40 UTC
Pleaase not that the password issue never affected any stable ebuild and is should therefore not be considered for the GLSA.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-12 01:21:44 UTC
CVE-2008-1271 will be rejected as a dupe.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 12:17:25 UTC
GLSA 200803-25