From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 X-Virus-Scanned: amavisd-new at X-Virus-Scanned: amavisd-new at Date: Tue, 18 Nov 2008 12:03:09 -0500 (GMT-05:00) From: seriv@parkheights.dyndns.org To: sysadmins@lists.altlinux.org Message-ID: <2117684004.361227027789919.JavaMail.root@parkheights.dyndns.org> In-Reply-To: <4921C9DD.90908@rename-it.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [8.8.38.2] X-Mailer: Zimbra 5.0.10_GA_2609.RHEL5_64 (ZimbraWebClient - FF3.0 (Linux)/5.0.10_GA_2609.RHEL5_64) Cc: sisyphus@lists.altlinux.org, devel@lists.altlinux.org Subject: [sisyphus] I: security problem in managesieved in dovecot1.2-v1.2-alt1_alpha3 X-BeenThere: sisyphus@lists.altlinux.org X-Mailman-Version: 2.1.10b3 Precedence: list Reply-To: ALT Linux Sisyphus discussions List-Id: ALT Linux Sisyphus discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 17:03:17 -0000 Archived-At: List-Archive: List-Post: =D0=92=D1=81=D0=B5=D0=BC =D0=BF=D1=80=D0=B8=D0=B2=D0=B5=D1=82! =D0=92 dovecot-1.2-v1.2-alt1_alpha3 =D0=B2 managesieve - =D0=BF=D1=80=D0=BE= =D0=B1=D0=BB=D0=B5=D0=BC=D0=B0 =D1=81 =D0=B1=D0=B5=D0=B7=D0=BE=D0=BF=D0=B0= =D1=81=D0=BD=D0=BE=D1=81=D1=82=D1=8C=D1=8E =D0=B4=D0=BB=D1=8F =D0=B2=D0=B8= =D1=80=D1=82=D1=83=D0=B0=D0=BB=D1=8C=D0=BD=D1=8B=D1=85 =D0=BF=D0=BE=D0=BB= =D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D0=B5=D0=B9.=20 =D0=A5=D0=B8=D1=82=D1=80=D1=8B=D0=B9 =D0=B2=D0=B8=D1=80=D1=82=D1=83=D0=B0= =D0=BB=D1=8C=D0=BD=D1=8B=D0=B9 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2= =D0=B0=D1=82=D0=B5=D0=BB=D1=8C =D0=B8=D1=81=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7= =D1=83=D1=8F =D0=BF=D0=BE=D1=81=D0=BB=D0=B5=D0=B4=D0=BE=D0=B2=D0=B0=D1=82= =D0=B5=D0=BB=D1=8C=D0=BD=D0=BE=D1=81=D1=82=D1=8C '../' =D0=B2 =D0=B8=D0=BC= =D0=B5=D0=BD=D0=B8 sieve =D1=84=D0=B8=D0=BB=D1=8C=D1=82=D1=80=D0=B0 =D0=BC= =D0=BE=D0=B6=D0=B5=D1=82 =D1=87=D0=B8=D1=82=D0=B0=D1=82=D1=8C =D0=B8 =D0=BC= =D0=BE=D0=B4=D0=B8=D1=84=D0=B8=D1=86=D0=B8=D1=80=D0=BE=D0=B2=D0=B0=D1=82=D1= =8C =D1=84=D0=B8=D0=BB=D1=8C=D1=82=D1=80=D1=8B =D0=B4=D1=80=D1=83=D0=B3=D0= =B8=D1=85 =D0=B2=D0=B8=D1=80=D1=82=D1=83=D0=B0=D0=BB=D1=8C=D0=BD=D1=8B=D1= =85 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D0= =B5=D0=B9. =D0=9D=D0=B0=D0=BF=D1=80=D0=B8=D0=BC=D0=B5=D1=80, =D0=BD=D0=B5= =D0=B7=D0=B0=D0=BC=D0=B5=D1=82=D0=BD=D0=BE =D0=B4=D0=BB=D1=8F =D0=BD=D0=B8= =D1=85 =D0=BF=D0=B5=D1=80=D0=B5=D1=81=D1=8B=D0=BB=D0=B0=D1=8F =D0=B8=D1=85 = =D0=BF=D0=BE=D1=87=D1=82=D1=83 =D0=BD=D0=B5=D0=B4=D0=BE=D0=B1=D1=80=D0=BE= =D0=B6=D0=B5=D0=BB=D0=B0=D1=82=D0=B5=D0=BB=D1=8F=D0=BC. =D0=9E=D1=82=D0=BF=D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=BD=D1=8B=D0=B9 = =D0=BC=D0=BD=D0=BE=D1=8E =D0=B2=D1=87=D0=B5=D1=80=D0=B0 =D0=B2 incoming =D0= =BF=D0=B0=D0=BA=D0=B5=D1=82 dovecot1.2-v1.2-alt2_alpha3 =D1=81=D0=BE=D0=B4= =D0=B5=D1=80=D0=B6=D0=B0=D0=BB =D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D1=83, =D0=B2= =D1=80=D0=B5=D0=B7=D1=83=D0=BB=D1=8C=D1=82=D0=B0=D1=82=D0=B5 =D0=BA=D0=BE= =D1=82=D0=BE=D1=80=D0=BE=D0=B9 managesive =D0=B2 =D0=BD=D1=91=D0=BC =D0=BD= =D0=B5=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=BE=D1=81=D0=BF=D0=BE=D1=81=D0=BE=D0= =B1=D0=B5=D0=BD. =D0=A1=D0=B5=D0=B3=D0=BE=D0=B4=D0=BD=D1=8F =D1=8D=D1=82=D0=B0 =D0=BE=D1=88= =D0=B8=D0=B1=D0=BA=D0=B0 =D0=B8=D1=81=D0=BF=D1=80=D0=B0=D0=B2=D0=BB=D0=B5= =D0=BD=D0=B0 =D0=B8 =D0=B2 incoming =D0=BD=D0=B0=D0=BF=D1=80=D0=B0=D0=B2=D0= =BB=D0=B5=D0=BD =D0=BF=D0=B0=D0=BA=D0=B5=D1=82 dovecot1.2-v1.2-alt3_alpha3,= =D0=B4=D0=BE =D0=BA=D0=BE=D1=82=D0=BE=D1=80=D0=BE=D0=B3=D0=BE =D0=B2=D1=81= =D0=B5=D0=BC =D0=B8 =D0=BF=D1=80=D0=B5=D0=B4=D0=BB=D0=B0=D0=B3=D0=B0=D0=B5= =D1=82=D1=81=D1=8F =D0=BE=D0=B1=D0=BD=D0=BE=D0=B2=D0=B8=D1=82=D1=8C=D1=81= =D1=8F. -- =D0=A1=D0=B5=D1=80=D0=B3=D0=B5=D0=B9 Fwd: [Dovecot] ManageSieve SECURITY hole: virtual users can edit scripts of= other virtual users (all versions) ----- "Stephan Bosch" wrote: > Hello, >=20 > While updating the ManageSieve implementation to the latest draft=20 > specification I noticed a major omission in the way script names are=20 > handled. Essentially, script names are directly appended to the sieve >=20 > storage directory path and suffixed with '.sieve'. This does not take >=20 > the use of '../' in script names into account. Therefore, clever > virtual=20 > users that know the directory structure of the server can read and > edit=20 > script files of other virtual users with the same system uid. The > added=20 > '.sieve' suffix prevents further security breach, because only sieve=20 > scripts are accessible this way. Note that of course any publicly=20 > accessible sieve script is also affected. >=20 > I am sorry to report that this bug was introduced pretty much from the >=20 > start, meaning that all versions of the ManageSieve patch/package are >=20 > affected. >=20 > To quickly resolve this issue, I provide patches against the existing >=20 > releases and I release new versions for Dovecot v1.1 through v1.2. The >=20 > security patches against the existing releases are very small and > should=20 > therefore also apply to older versions or can be adjusted to apply=20 > cleanly with relative ease. >=20 > The security patches are available as follows: >=20 > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-secur= ity.patch > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-secur= ity.patch.sig >=20 > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-securi= ty.patch > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-securi= ty.patch.sig >=20 > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-securi= ty.patch > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-securi= ty.patch.sig >=20 > The security patch for v1.0 is applied against the patched Dovecot > tree,=20 > while patches for v1.1 and v1.2 are applied against the ManageSieve=20 > package. >=20 > The new releases are available as follows (v1.1 and v1.2 versions have >=20 > additional changes, read the NEWS files for more info): >=20 > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.= gz > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.= gz.sig >=20 >=20 >=20 > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz= .sig >=20 > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz= .sig >=20 > Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid >=20 > confusion, but an existing patched Dovecot should work fine. >=20 > I hope package maintainers will quickly incorporate the security > patches=20 > to get rid of this stupidity as soon as possible. >=20 > Don't hesitate to notify me when there are problems! >=20 > Regards, >=20 > --=20 > Stephan Bosch > stephan@rename-it.nl