Launchpad.net

CVE 2008-1199

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

Related bugs and status

CVE-2008-1199 (Candidate) is related to these bugs:

Bug #203449: [dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation

		In	Importance	Status
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Debian)	Unknown	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Dapper)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Edgy)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Feisty)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Hardy)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Gutsy)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [Dovecot-news] 2008050...
BID: 28092
FEDORA: FEDORA-2008-2464
FEDORA: FEDORA-2008-2475
SECUNIA: 29226
DEBIAN: DSA-1516
GENTOO: GLSA-200803-25
SECUNIA: 29385
SECUNIA: 29396
SECUNIA: 29557
SUSE: SUSE-SR:2008:020
SECUNIA: 32151
REDHAT: RHSA-2008:0297
SECUNIA: 30342
XF: dovecot-mailextragroup...
OVAL: oval:org.mitre.oval:de...
UBUNTU: USN-593-1
BUGTRAQ: 20080304 Dovecot mail_...