From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <460D2F99.2000009@parkheights.dyndns.org> Date: Fri, 30 Mar 2007 11:41:13 -0400 From: Sergey User-Agent: Thunderbird 1.5.0.10 (X11/20070302) MIME-Version: 1.0 To: sisyphus@lists.altlinux.org X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Cc: sysadmins@lists.altlinux.org Subject: [Sysadmins] [Fwd: [Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes] X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.9rc1 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2007 15:41:46 -0000 Archived-At: List-Archive: Привет! В devel:/incoming/Sisyphus направлен dovecot-1.0-alt8.rc29 с исправлениями проблемы с безопасностью в zlib plugin'е. Всем кто пользуется этим плагином, рекомендуется обновляться. --- Сергей Иванов -------- Original Message -------- Subject: [Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes Date: Fri, 30 Mar 2007 17:46:29 +0300 From: Timo Sirainen Reply-To: Dovecot Mailing List To: dovecot-news@dovecot.org CC: dovecot@dovecot.org zlib plugin allows opening gzipped mboxes as read-only mailboxes. However when using it, the mailbox name checks are bypassed so it's possible to open for example "../otheruser/somefile.gz". Only valid gzipped mbox files can be opened, and only if their name ends with ".gz". You can fix this by upgrading to v1.0.rc29 (available soon) or with this patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html I don't think this matters much though. zlib plugin is rarely used, and those who do use it are probably using Dovecot with systems users (per-user UIDs), so the imap process wouldn't have access to other users' mbox files anyway. I found this problem when I was cleaning up the code in CVS HEAD.