Security hole in ManageSieve: Virtual users can edit scripts of other virtual users

Bug #307291 reported by Mr Ed on 2008-12-11
256
Affects Status Importance Assigned to Milestone
dovecot (Debian)
Fix Released
Unknown
dovecot (Ubuntu)
Undecided
Unassigned

Bug Description

Script names aren't checked for "/"-characters, so that virtual users can edit other users scripts by using a script name like "../../other_user/sieve/script".

See here for more details and a patch:

http://dovecot.org/list/dovecot/2008-November/035259.html

Mr Ed (siebert) on 2008-12-11
description: updated
Launchpad Janitor (janitor) wrote :
Download full text (4.6 KiB)

This bug was fixed in the package dovecot - 1:1.1.11-0ubuntu1

---------------
dovecot (1:1.1.11-0ubuntu1) jaunty; urgency=low

  [ Ante Karamatic ]
    Add new binary pkg dovecot-postfix that integrates postfix and dovecot
    automatically: (LP: #164837)
    - debian/control:
      + add new binary with short description.
    - debian/dovecot-postfix.postinst:
      + create initial certificate symlinks to snakeoil.
      + set up postfix with postconf to:
        - use Maildir/ as the default mailbox.
        - use dovecot as the sasl authentication server.
        - use dovecot LDA (deliver).
        - use tls for smtp{d} services.
      + restart postfix and dovecot.
    - debian/dovecot-postfix.postrm:
      + remove all dovecot related configuration from postfix.
      + restart postfix and dovecot.
    - debian/dovecot-common.init:
      + check if /etc/dovecot/dovecot-postfix.conf exists and use it
        as the configuration file if so.
    - debian/patches/warning-ubuntu-postfix.dpatch
      + add warning about dovecot-postfix.conf in dovecot default
        configuration file.
    - debian/patches/dovecot-postfix.conf.diff:
      + Ubuntu server custom changes to the default dovecot configuration for
        better integration with postfix:
        - enable imap, pop3, imaps, pop3s and managesieve by default.
        - enable dovecot LDA (deliver).
        - enable SASL auth socket in postfix private directory.
    - debian/rules:
      + copy, patch and install dovecot-postfix.conf in /etc/dovecot/.

  [ Mathias Gug ]
  * New upstream release:
  * Update dovecot-managesieve to 0.10.5. Fixes:
    - check if names of sieve scripts contain '/' (LP: #307291)
  * Update dovecot-managesieve patch for 1.1.11 and 0.10.5.
  * Update dovecot-sieve plugin to 1.1.6.
  * Merge from debian experimental, remaining changes:
    - Use Snakeoil SSL certificates by default.
      + debian/control: Depend on ssl-cert
      + debian/paptches/ssl-cert-snakeoil.dpatch: Change default SSL cert
        paths to snakeoil.
      + debian/dovecot-common.postinst: Relax grep for SSL_* a bit.
    - Add autopkgtest in debian/tests/*.
    - debian/dovecot-common.init: Check to see if there is an /etc/inetd.conf.
      (LP: #208411)
    - Fast TearDown: Update lsb init header to not stop in level 6.
    - Add status action to the init script:
      + debian/control: Depend on lsb >= 3.2.12ubuntu3.
      + debian/dovecot-common-init: Add the 'status' action (LP: #247096).
    - debian/rules:
      - Copy config.{guess,sub} after running libtoolize.
      - Clean dovecot-managesieve directory.
    - Add ufw integration:
      - Created debian/dovecot-common.ufw.profile
      - debian/rules:
        + install profile
      - debian/control
        + Suggest ufw
    - debian/{control,rules}: enable PIE hardening.
    - Updated dovecot.common.README.Debian with information on what has changed
      between 1.0 and 1.1.1. Fixes (LP: #257625)
    - dovecot-imapd, dovecot-pop3: Replaces dovecot-common (<< 1:1.1). LP: #254721.
    - debian/control:
      + Update Vcs-* headers.
  * debian/rules:
    - Create emtpy stamp.h.in files in dovecot-sieve/ and dovecot-managesi...

Read more...

Changed in dovecot:
status: New → Fix Released
Changed in dovecot (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.