[Sysadmins] [Fwd: [Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes]

[Sysadmins] [Fwd: [Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes]

[Sergey]

Привет!
В devel:/incoming/Sisyphus направлен dovecot-1.0-alt8.rc29 с
исправлениями проблемы с безопасностью в zlib plugin'е. Всем кто
пользуется этим плагином, рекомендуется обновляться.
---
	Сергей Иванов

-------- Original Message --------
Subject: [Dovecot] Security hole #3: zlib plugin allows opening any
gziped  mboxes
Date: Fri, 30 Mar 2007 17:46:29 +0300
From: Timo Sirainen <tss@iki.fi>
Reply-To: Dovecot Mailing List <dovecot@dovecot.org>
To: dovecot-news@dovecot.org
CC: dovecot@dovecot.org

zlib plugin allows opening gzipped mboxes as read-only mailboxes.
However when using it, the mailbox name checks are bypassed so it's
possible to open for example "../otheruser/somefile.gz". Only valid
gzipped mbox files can be opened, and only if their name ends with
".gz".

You can fix this by upgrading to v1.0.rc29 (available soon) or with this
patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html

I don't think this matters much though. zlib plugin is rarely used, and
those who do use it are probably using Dovecot with systems users
(per-user UIDs), so the imap process wouldn't have access to other
users' mbox files anyway.

I found this problem when I was cleaning up the code in CVS HEAD.