Debian Bug report logs -
#729063
dovecot: CVE-2013-6171
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 8 Nov 2013 13:33:02 UTC
Severity: important
Tags: confirmed, security, wheezy
Found in version 1:2.2.5-1
Fixed in version 1:2.2.9-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#729063; Package dovecot.
(Fri, 08 Nov 2013 13:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Fri, 08 Nov 2013 13:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dovecot
Severity: important
Tags: security
Quoting from the 2.2.7 announcement:
http://www.dovecot.org/list/dovecot-news/2013-November/000264.html
| Some usage of passdb checkpassword could have been exploitable by
| local users. You may need to modify your setup to keep it working.
| See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security
Quoting from http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security:
| The standard checkpassword design is incompatible with Dovecot's security model. If
| the system has local users and the checkpassword script setuid()s into a local user,
| the user is able to ptrace into the communication and change the authentication results.
| This is of course undesirable, so v2.2.7+ will just refuse to run in such environments
| by default. The possibilities to solve this are:
| If possible, change the checkpassword to return userdb_uid and userdb_gid extra fields
| instead of using setuid() and setgid(). This also improves the performance.
| If you can't change the script, you can make Dovecot's checkpassword-reply binary
| setuid or setgid (e.g. chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply;
| chmod g+s /usr/local/libexec/dovecot/checkpassword-reply)
|
| If you don't have any untrusted local users and you just don't care about this check, you
| can set INSECURE_SETUID=1 environment e.g. with a wrapper checkpassword script.
I'm not sure if that needs to be backported to stable given? How popular is the Checkpassword
auth framework?
Cheers,
Moritz
Added tag(s) confirmed.
Request was from Jelmer Vernooij <jelmer@debian.org>
to control@bugs.debian.org.
(Thu, 03 Apr 2014 00:51:12 GMT) (full text, mbox, link).
Added tag(s) wheezy.
Request was from Jelmer Vernooij <jelmer@debian.org>
to control@bugs.debian.org.
(Thu, 03 Apr 2014 00:51:17 GMT) (full text, mbox, link).
Marked as fixed in versions 1:2.2.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 04 Jul 2014 18:57:18 GMT) (full text, mbox, link).
Marked as found in versions 1:2.2.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 04 Jul 2014 18:57:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:52:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon