Launchpad.net

CVE 2008-1218

Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.

Related bugs and status

CVE-2008-1218 (Candidate) is related to these bugs:

Bug #203449: [dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation

		In	Importance	Status
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Debian)	Unknown	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Dapper)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Edgy)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Feisty)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Hardy)	Medium	Fix Released
203449	[dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation	dovecot (Ubuntu Gutsy)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [Dovecot-news] 2008030...
MLIST: [Dovecot-news] 2008030...
MISC: http://wiki.rpath.com/...
CONFIRM: https://issues.rpath.c...
FEDORA: FEDORA-2008-2464
FEDORA: FEDORA-2008-2475
BID: 28181
SECUNIA: 29295
SECUNIA: 29226
SECUNIA: 29364
DEBIAN: DSA-1516
GENTOO: GLSA-200803-25
SECUNIA: 29385
SECUNIA: 29396
SECUNIA: 29557
SUSE: SUSE-SR:2008:020
SECUNIA: 32151
XF: dovecot-tab-authentica...
EXPLOIT-DB: 5257
UBUNTU: USN-593-1
BUGTRAQ: 20080312 rPSA-2008-010...