Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339776 (CVE-2010-3706) - net-mail/dovecot: Multiple Vulnerabilities (CVE-2010-{3706,3707})
Summary: net-mail/dovecot: Multiple Vulnerabilities (CVE-2010-{3706,3707})
Alias: CVE-2010-3706
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2010-10-05 02:34 UTC by Tim Sammut (RETIRED)
Modified: 2011-01-03 20:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

dovecot-1.2.15.ebuild (dovecot-1.2.15.ebuild,8.53 KB, text/plain)
2010-10-05 07:31 UTC, Eray Aslan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-05 02:34:51 UTC
From $url:

See the "ACL handling bugs" message for more details about the ACL
merging bug.

	* acl: Fixed the logic of merging multiple ACL entries. Now it works as
	  documented, while previously it could have done slightly different
	  things depending on the order of the entries.

(Note: The above is CVE-2010-3707)

	* acl: Don't give admin rights to all owner mailboxes. This was
	  originally done to make sure that mailbox owner couldn't accidentally
	  remove their own admin rights. But this is already prevented by
	  SETACL command, so it's not necessary. Also sysadmin may have
	  intentionally removed some admin rights from some mailboxes
	  (especially when using symlinked shared mailboxes).

(Note: The above is CVE-2010-3706)

	- Maildir: Fixed potential "Duplicate file entry" in dovecot-uidlist
	  file errors.
	- Maildir: Avoid unnecessary uidlist recreation during mail delivery.
	- imap: When SELECT fails, it didn't close the previous mailbox.
	- Dovecot master process could have died if it got SIGCHLD signals
	  very rapidly while it was trying to log. This could have happened
	  for example if a lot of imap/pop3 sessions disconnected at the exact
	  same time.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-10-05 03:25:14 UTC
Adding proper CC's
Comment 2 Eray Aslan gentoo-dev 2010-10-05 06:41:24 UTC
There is no sieve release yet for dovecot-1.2.15, i.e. we cannot bump without major loss of function.  I have contacted upstream and asked for a status update regarding sieve release.
Comment 3 Eray Aslan gentoo-dev 2010-10-05 07:31:38 UTC
Created attachment 249608 [details]

Sieve is released in the meantime.  Attached please find dovecot-1.2.15.ebuild.  Please add to the tree.


Version bump - security bug #339776
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-10-05 12:46:54 UTC

+*dovecot-1.2.15 (05 Oct 2010)
+  05 Oct 2010; Jeremy Olexa <> +dovecot-1.2.15.ebuild:
+  Version bump - security bug #339776

This version won't really get tested in ~arch because 2.x is in ~arch already. Should be fine to add arches for stabilization though.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2010-10-05 13:45:38 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc sparc x86"
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-10-06 08:13:02 UTC
amd64 done
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-10-06 15:05:19 UTC
x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2010-10-09 13:17:43 UTC
Stale on alpha.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-10-10 17:07:00 UTC
sparc stable
Comment 10 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-10-12 15:59:40 UTC
I forgot to close bug 335383 and stable arm was added to a security vulnerable version. Adding arm@g.o here with apologies.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-10-15 12:51:33 UTC
ppc done
Comment 12 Markus Meier gentoo-dev 2010-10-15 14:21:31 UTC
arm stable, all arches done.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2010-10-15 14:47:55 UTC
Thanks, folks.

GLSA Vote: No.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:56:20 UTC
Vote: YES; remote DoS possible.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-03 20:52:39 UTC
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.