Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245316 (CVE-2008-4870) - net-mail/dovecot<1.1.7-r1 ssl password leak because of dovecot.conf permissions (CVE-2008-4870)
Summary: net-mail/dovecot<1.1.7-r1 ssl password leak because of dovecot.conf permissio...
Status: RESOLVED FIXED
Alias: CVE-2008-4870
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-02 19:52 UTC by Stefan Behte (RETIRED)
Modified: 2008-12-15 13:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 19:52:13 UTC
CVE-2008-4870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4870):
  dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly
  Fedora, uses world-readable permissions for dovecot.conf, which
  allows local users to obtain the ssl_key_password parameter value.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 19:54:26 UTC
We also leave that file world-readable.
Comment 2 Wolfram Schlich (RETIRED) gentoo-dev 2008-11-03 17:25:43 UTC
fixed in 1.1.6-r1. thanks!
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-03 18:22:00 UTC
Arches, please test and mark stable.
Comment 4 Andreas Westin 2008-11-03 19:05:24 UTC
I've installed 1.1.6-r1 and my dovecot.conf was still world readable.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-03 19:25:03 UTC
For me, it's ok:
ls -l /etc/dovecot/dovecot.conf
-rw------- 1 root root 46584 Nov  3 20:21 /etc/dovecot/dovecot.conf
Comment 6 Markus Meier gentoo-dev 2008-11-03 22:10:42 UTC
not fixed, too (was an upgrade from 1.1.6, probably portage doesn't do this right?). besides dovecot.conf doesn't seem to be replaced.

 # ls -l /etc/dovecot/
total 60
-rw-r--r-- 1 root root   410 Nov  3 22:07 dovecot-db-example.conf
-rw------- 1 root root  4883 Nov  3 22:07 dovecot-ldap.conf
-rw-r--r-- 1 root root 46637 Nov  2 00:54 dovecot.conf
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-03 22:24:01 UTC
I did a fresh install.
Didn't portage show up with a new dovecot.conf? I've got no time for tests right now.
Comment 8 Tobias Klausmann gentoo-dev 2008-11-08 20:52:35 UTC
Stable on alpha.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 16:50:57 UTC
wschlich, please advise on the status of this bug. Both Andreas and Markus claim this is not fixed in upgrade-scenarios.
Comment 10 Wolfram Schlich (RETIRED) gentoo-dev 2008-11-28 08:16:43 UTC
Sorry, I've added some pkg_preinst() magic in 1.1.7.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-28 12:23:24 UTC
Confirmed to work, thanks Wolfram.
Arches: Please test and mark stable:
'=net-mail/dovecot-1.1.7'
Comment 12 satmd 2008-11-28 12:35:07 UTC
This patch broke getmail injection through dovecot's local delivery agent (/usr/libexec/dovecot/deliver), because it tries read dovecot.conf without root permission.

Obvious fix for me: usr /usr/sbin/sendmail -G -i -t

But now there's a big BUT...

recent dovecot suggests that dovecot.conf is world-readable and one should put ssl_key_password in an EXTRA file (permission 0600) and to include_try that.
Now we see one possible reasoning for that suggestion.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-29 16:27:45 UTC
(In reply to comment #12)
> This patch broke getmail injection through dovecot's local delivery agent
> (/usr/libexec/dovecot/deliver), because it tries read dovecot.conf without root
> permission.
> 
> Obvious fix for me: usr /usr/sbin/sendmail -G -i -t
> 
> But now there's a big BUT...
> 
> recent dovecot suggests that dovecot.conf is world-readable and one should put
> ssl_key_password in an EXTRA file (permission 0600) and to include_try that.
> Now we see one possible reasoning for that suggestion.
> 

@Wolfram: please advise ...
Comment 14 Wolfram Schlich (RETIRED) gentoo-dev 2008-11-29 20:35:34 UTC
Committed 1.1.7-r1:
Removed the code to forcibly change dovecot.conf permissions to 0600
and added a big fat warning to pkg_postinst().
That's it from my side.
Comment 15 Markus Meier gentoo-dev 2008-11-30 16:27:32 UTC
amd64/x86 stable
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-06 18:58:42 UTC
ppc stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2008-12-08 16:37:13 UTC
alpha/sparc stable
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-15 13:55:13 UTC
GLSA 200812-16, thanks everyone, sorry about the delay.