* [sisyphus] [Fwd: [Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes]
@ 2007-03-30 15:41 Sergey
0 siblings, 0 replies; only message in thread
From: Sergey @ 2007-03-30 15:41 UTC (permalink / raw)
To: sisyphus; +Cc: sysadmins
Привет!
В devel:/incoming/Sisyphus направлен dovecot-1.0-alt8.rc29 с
исправлениями проблемы с безопасностью в zlib plugin'е. Всем кто
пользуется этим плагином, рекомендуется обновляться.
---
Сергей Иванов
-------- Original Message --------
Subject: [Dovecot] Security hole #3: zlib plugin allows opening any
gziped mboxes
Date: Fri, 30 Mar 2007 17:46:29 +0300
From: Timo Sirainen <tss@iki.fi>
Reply-To: Dovecot Mailing List <dovecot@dovecot.org>
To: dovecot-news@dovecot.org
CC: dovecot@dovecot.org
zlib plugin allows opening gzipped mboxes as read-only mailboxes.
However when using it, the mailbox name checks are bypassed so it's
possible to open for example "../otheruser/somefile.gz". Only valid
gzipped mbox files can be opened, and only if their name ends with
".gz".
You can fix this by upgrading to v1.0.rc29 (available soon) or with this
patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html
I don't think this matters much though. zlib plugin is rarely used, and
those who do use it are probably using Dovecot with systems users
(per-user UIDs), so the imap process wouldn't have access to other
users' mbox files anyway.
I found this problem when I was cleaning up the code in CVS HEAD.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-03-30 15:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-03-30 15:41 [sisyphus] [Fwd: [Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes] Sergey
ALT Linux Sisyphus discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \
sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru
public-inbox-index sisyphus
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sisyphus
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git