An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13,
and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or
certain non-default sieve options are enabled (2.x), a user with a mail
account on the service can use a sieve script containing a fileinto
directive to create any mailbox with administrator privileges, because of
folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
After discussion we (security) aren't interested in keeping this package alive.
@ Treecleaner(s): Please do your job (maybe someone else will step up and take care).
Apparently it's been taken care of:
Author: Eray Aslan <email@example.com>
AuthorDate: 2020-04-09 16:07:45 +0200
Commit: Eray Aslan <firstname.lastname@example.org>
CommitDate: 2020-04-09 16:07:45 +0200
net-mail/cyrus-imapd: security bump to 3.0.13
also fixes building with new versions of libcap and gcc-10
Package-Manager: Portage-2.3.96, Repoman-2.3.22
Signed-off-by: Eray Aslan <email@example.com>
@maintainer(s), please advise if ready for stabilisation, or call yourself
Arches, please test and mark stable
Target Keywords = amd64 ~arm ~hppa ~ia64 ppc ppc64 ~sparc x86
This issue was resolved and addressed in
GLSA 202006-23 at https://security.gentoo.org/glsa/202006-23
by GLSA coordinator Aaron Bauman (b-man).
re-opened for ppc64 and cleanup.