CVE-2008-4870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4870): dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
We also leave that file world-readable.
fixed in 1.1.6-r1. thanks!
Arches, please test and mark stable.
I've installed 1.1.6-r1 and my dovecot.conf was still world readable.
For me, it's ok: ls -l /etc/dovecot/dovecot.conf -rw------- 1 root root 46584 Nov 3 20:21 /etc/dovecot/dovecot.conf
not fixed, too (was an upgrade from 1.1.6, probably portage doesn't do this right?). besides dovecot.conf doesn't seem to be replaced. # ls -l /etc/dovecot/ total 60 -rw-r--r-- 1 root root 410 Nov 3 22:07 dovecot-db-example.conf -rw------- 1 root root 4883 Nov 3 22:07 dovecot-ldap.conf -rw-r--r-- 1 root root 46637 Nov 2 00:54 dovecot.conf
I did a fresh install. Didn't portage show up with a new dovecot.conf? I've got no time for tests right now.
Stable on alpha.
wschlich, please advise on the status of this bug. Both Andreas and Markus claim this is not fixed in upgrade-scenarios.
Sorry, I've added some pkg_preinst() magic in 1.1.7.
Confirmed to work, thanks Wolfram. Arches: Please test and mark stable: '=net-mail/dovecot-1.1.7'
This patch broke getmail injection through dovecot's local delivery agent (/usr/libexec/dovecot/deliver), because it tries read dovecot.conf without root permission. Obvious fix for me: usr /usr/sbin/sendmail -G -i -t But now there's a big BUT... recent dovecot suggests that dovecot.conf is world-readable and one should put ssl_key_password in an EXTRA file (permission 0600) and to include_try that. Now we see one possible reasoning for that suggestion.
(In reply to comment #12) > This patch broke getmail injection through dovecot's local delivery agent > (/usr/libexec/dovecot/deliver), because it tries read dovecot.conf without root > permission. > > Obvious fix for me: usr /usr/sbin/sendmail -G -i -t > > But now there's a big BUT... > > recent dovecot suggests that dovecot.conf is world-readable and one should put > ssl_key_password in an EXTRA file (permission 0600) and to include_try that. > Now we see one possible reasoning for that suggestion. > @Wolfram: please advise ...
Committed 1.1.7-r1: Removed the code to forcibly change dovecot.conf permissions to 0600 and added a big fat warning to pkg_postinst(). That's it from my side.
amd64/x86 stable
ppc stable
alpha/sparc stable
GLSA 200812-16, thanks everyone, sorry about the delay.