net-mail/dovecot-* with USE="managesieve" In certain configurations, any user with can view or edit any *.sieve file that has file system permissions that allow this. This is common in virtual user configurations. All versions of dovecot presently in portage have this bug when USE=managesieve. dovecot-1.1.7.ebuild contains the lines: MANAGESIEVE_PATCH="managesieve-0.10.4" MANAGESIEVE="managesieve-0.10.3" Besides it being a really bad idea to mix managesieve and managesive_patch versions managesieve-0.10.3 has still has the bug. Suggest something like: MANAGESIEVE="managesieve-0.10.4" MANAGESIEVE_PATCH="$MANAGESIEVE" Reproducible: Always Steps to Reproduce:
'../' is not filtered from script path. See this post to dovecot mailing list: http://www.dovecot.org/list/dovecot/2008-November/035259.html
Fixed in 1.1.7-r1.
CVE-2008-5301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5301): Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.
GLSA 200812-16 covers this version as vulnerable, but we missed this bug in the GLSA processing. So I'll just go ahead and close [noglsa].
