From: seriv@parkheights.dyndns.org
To: sysadmins@lists.altlinux.org
Cc: sisyphus@lists.altlinux.org, devel@lists.altlinux.org
Subject: [Sysadmins] I: security problem in managesieved in dovecot1.2-v1.2-alt1_alpha3
Date: Tue, 18 Nov 2008 12:03:09 -0500 (GMT-05:00)
Message-ID: <2117684004.361227027789919.JavaMail.root@parkheights.dyndns.org> (raw)
In-Reply-To: <4921C9DD.90908@rename-it.nl>
Всем привет!
В dovecot-1.2-v1.2-alt1_alpha3 в managesieve - проблема с безопасностью для виртуальных пользователей.
Хитрый виртуальный пользователь используя последовательность '../' в имени sieve фильтра может читать и модифицировать фильтры других виртуальных пользователей. Например, незаметно для них пересылая их почту недоброжелателям.
Отправленный мною вчера в incoming пакет dovecot1.2-v1.2-alt2_alpha3 содержал ошибку, в результате которой managesive в нём неработоспособен.
Сегодня эта ошибка исправлена и в incoming направлен пакет dovecot1.2-v1.2-alt3_alpha3, до которого всем и предлагается обновиться.
--
Сергей
Fwd: [Dovecot] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)
----- "Stephan Bosch" <stephan@rename-it.nl> wrote:
> Hello,
>
> While updating the ManageSieve implementation to the latest draft
> specification I noticed a major omission in the way script names are
> handled. Essentially, script names are directly appended to the sieve
>
> storage directory path and suffixed with '.sieve'. This does not take
>
> the use of '../' in script names into account. Therefore, clever
> virtual
> users that know the directory structure of the server can read and
> edit
> script files of other virtual users with the same system uid. The
> added
> '.sieve' suffix prevents further security breach, because only sieve
> scripts are accessible this way. Note that of course any publicly
> accessible sieve script is also affected.
>
> I am sorry to report that this bug was introduced pretty much from the
>
> start, meaning that all versions of the ManageSieve patch/package are
>
> affected.
>
> To quickly resolve this issue, I provide patches against the existing
>
> releases and I release new versions for Dovecot v1.1 through v1.2. The
>
> security patches against the existing releases are very small and
> should
> therefore also apply to older versions or can be adjusted to apply
> cleanly with relative ease.
>
> The security patches are available as follows:
>
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch.sig
>
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch.sig
>
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch.sig
>
> The security patch for v1.0 is applied against the patched Dovecot
> tree,
> while patches for v1.1 and v1.2 are applied against the ManageSieve
> package.
>
> The new releases are available as follows (v1.1 and v1.2 versions have
>
> additional changes, read the NEWS files for more info):
>
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz.sig
>
>
>
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz.sig
>
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz.sig
>
> Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid
>
> confusion, but an existing patched Dovecot should work fine.
>
> I hope package maintainers will quickly incorporate the security
> patches
> to get rid of this stupidity as soon as possible.
>
> Don't hesitate to notify me when there are problems!
>
> Regards,
>
> --
> Stephan Bosch
> stephan@rename-it.nl
next parent reply other threads:[~2008-11-18 17:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-18 17:03 ` seriv [this message]
2008-11-19 9:37 ` Владимир
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2117684004.361227027789919.JavaMail.root@parkheights.dyndns.org \
--to=seriv@parkheights.dyndns.org \
--cc=devel@lists.altlinux.org \
--cc=sisyphus@lists.altlinux.org \
--cc=sysadmins@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git