Debian Bug report logs -
#502967
CVE-2008-4577/CVE-2008-4578: security problems with the ACL plugin
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Tue, 21 Oct 2008 11:30:02 UTC
Severity: important
Tags: security
Fixed in version 1:1.1.9-1
Done: Fabio Tranchitella <fabio@tranchitella.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Tue, 21 Oct 2008 11:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Tue, 21 Oct 2008 11:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dovecot-common
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for dovecot.
CVE-2008-4577[0]:
| The ACL plugin in Dovecot before 1.1.4 treats negative access rights
| as if they are positive access rights, which allows attackers to
| bypass intended access restrictions.
CVE-2008-4578[1]:
| The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass
| intended access restrictions by using the "k" right to create
| unauthorized "parent/child/child" mailboxes.
The upstream announcement can be found here[2]. I don't think this warrants
a DSA for etch and for lenny it could be fixed via unstable migration.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
http://security-tracker.debian.net/tracker/CVE-2008-4577
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
http://security-tracker.debian.net/tracker/CVE-2008-4578
[2] http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sat, 25 Oct 2008 18:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 25 Oct 2008 18:45:03 GMT) (full text, mbox, link).
Message #10 received at 502967@bugs.debian.org (full text, mbox, reply):
CVE-2008-4577 has been fixed in the 1.0 branch, but hasn't been released
yet:
http://hg.dovecot.org/dovecot-1.0/rev/2dc3a5678fe5
I'm building packages including this fix and the FTBFS fix (#498679);
let me know if it's okay to upload.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sat, 01 Nov 2008 13:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 01 Nov 2008 13:30:02 GMT) (full text, mbox, link).
Message #15 received at 502967@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Dominic,
* Dominic Hargreaves <dom@earth.li> [2008-10-26 02:51]:
> CVE-2008-4577 has been fixed in the 1.0 branch, but hasn't been released
> yet:
>
> http://hg.dovecot.org/dovecot-1.0/rev/2dc3a5678fe5
>
> I'm building packages including this fix and the FTBFS fix (#498679);
> let me know if it's okay to upload.
This looks ok. What about
http://hg.dovecot.org/dovecot-1.1/rev/d2657188377b which
fixes the other issue?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sat, 01 Nov 2008 16:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 01 Nov 2008 16:24:02 GMT) (full text, mbox, link).
Message #20 received at 502967@bugs.debian.org (full text, mbox, reply):
On Sat, Nov 01, 2008 at 02:27:50PM +0100, Nico Golde wrote:
> This looks ok. What about
> http://hg.dovecot.org/dovecot-1.1/rev/d2657188377b which
> fixes the other issue?
I wasn't quite so confident about applying that straight away; I did
intend to talk to upstream about its applicability to the 1.0 series but
never got around to it.
Timo, do you have any comments about whether the above changeset could
be applied easily to dovecot 1.0? I've already applied
http://hg.dovecot.org/dovecot-1.0/rev/2dc3a5678fe5
for the Debian packages.
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sat, 01 Nov 2008 16:30:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Timo Sirainen <tss@iki.fi>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 01 Nov 2008 16:30:11 GMT) (full text, mbox, link).
Message #25 received at 502967@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, 2008-11-01 at 16:17 +0000, Dominic Hargreaves wrote:
> On Sat, Nov 01, 2008 at 02:27:50PM +0100, Nico Golde wrote:
> > This looks ok. What about
> > http://hg.dovecot.org/dovecot-1.1/rev/d2657188377b which
> > fixes the other issue?
>
> I wasn't quite so confident about applying that straight away; I did
> intend to talk to upstream about its applicability to the 1.0 series but
> never got around to it.
>
> Timo, do you have any comments about whether the above changeset could
> be applied easily to dovecot 1.0? I've already applied
> http://hg.dovecot.org/dovecot-1.0/rev/2dc3a5678fe5
> for the Debian packages.
Other distros' people have also asked me about that, but I haven't
bothered even trying to see how difficult it would be to backport to
v1.0. Maybe see if it's already been done in suse/redhat :)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sat, 01 Nov 2008 17:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 01 Nov 2008 17:42:05 GMT) (full text, mbox, link).
Message #30 received at 502967@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Timo,
* Timo Sirainen <tss@iki.fi> [2008-11-01 18:30]:
> On Sat, 2008-11-01 at 16:17 +0000, Dominic Hargreaves wrote:
> > On Sat, Nov 01, 2008 at 02:27:50PM +0100, Nico Golde wrote:
> > > This looks ok. What about
> > > http://hg.dovecot.org/dovecot-1.1/rev/d2657188377b which
> > > fixes the other issue?
> >
> > I wasn't quite so confident about applying that straight away; I did
> > intend to talk to upstream about its applicability to the 1.0 series but
> > never got around to it.
> >
> > Timo, do you have any comments about whether the above changeset could
> > be applied easily to dovecot 1.0? I've already applied
> > http://hg.dovecot.org/dovecot-1.0/rev/2dc3a5678fe5
> > for the Debian packages.
>
> Other distros' people have also asked me about that, but I haven't
> bothered even trying to see how difficult it would be to backport to
> v1.0. Maybe see if it's already been done in suse/redhat :)
At least redhat is not going to release a security update
with this patch as it is too intrusive :/
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sun, 16 Nov 2008 16:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sun, 16 Nov 2008 16:33:07 GMT) (full text, mbox, link).
Message #35 received at 502967@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
any news on this issue? It would be nice to get this fixed
for lenny.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Wed, 19 Nov 2008 17:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Wed, 19 Nov 2008 17:36:07 GMT) (full text, mbox, link).
Message #40 received at 502967@bugs.debian.org (full text, mbox, reply):
On Sun, Nov 16, 2008 at 05:24:45PM +0100, Nico Golde wrote:
> Hi,
> any news on this issue? It would be nice to get this fixed
> for lenny.
None from me - I'm not the maintainer and in any case don't have the
expertise to backport this fix, sorry.
I'm not sure what the solution to this is; it's rather unfortunate that
lenny contains what's now an old branch of code that probably won't be
maintained any more.
Might be worth asking on the dovecot list to see if anyone is able to
offer a backport?
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Wed, 19 Nov 2008 17:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Wed, 19 Nov 2008 17:57:03 GMT) (full text, mbox, link).
Message #45 received at 502967@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 19, 2008 at 05:32:24PM +0000, Dominic Hargreaves wrote:
> I'm not sure what the solution to this is; it's rather unfortunate that
> lenny contains what's now an old branch of code that probably won't be
> maintained any more.
>
> Might be worth asking on the dovecot list to see if anyone is able to
> offer a backport?
For completeness, Redhat decision on this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4578
"The risks associated with fixing this bug are greater than the low
severity security risk. We therefore currently have no plans to fix
this flaw in Red Hat Enterprise Linux 5."
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#502967; Package dovecot-common.
(Sat, 29 Nov 2008 10:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 29 Nov 2008 10:21:09 GMT) (full text, mbox, link).
Message #50 received at 502967@bugs.debian.org (full text, mbox, reply):
> For completeness, Redhat decision on this:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4578
>
> "The risks associated with fixing this bug are greater than the low
> severity security risk. We therefore currently have no plans to fix
> this flaw in Red Hat Enterprise Linux 5."
I agree with them that the severity is so low that it doesn't justify the
work to backport and test the patch. I will mark it as no-dsa for lenny in
the security tracker.
Reply sent
to Fabio Tranchitella <fabio@tranchitella.it>:
You have taken responsibility.
(Fri, 27 Feb 2009 16:06:13 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Fri, 27 Feb 2009 16:06:13 GMT) (full text, mbox, link).
Message #55 received at 502967-done@bugs.debian.org (full text, mbox, reply):
Version: 1:1.1.9-1
This bug has been fixed in 1:1.1.9-1.
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 29 Mar 2009 07:34:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:48:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon