Bug 1786756 (CVE-2019-19783)
Summary: | CVE-2019-19783 cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | code, j, mailinglists, pzhukov, vanmeeuwen+fedora, zdohnal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cyrus-imapd 2.5.14, cyrus-imapd 3.0.12 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:23:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1786757, 1804047, 1804048 | ||
Bug Blocks: | 1786758 |
Description
Guilherme de Almeida Suckevicz
2019-12-27 17:46:41 UTC
Created cyrus-imapd tracking bugs for this issue: Affects: fedora-all [bug 1786757] Analysis: Sieve scripts allow creation custom mail boxes when "fileinto" directives are used. If a user is not allowed to create a new mail box but is allowed to upload a custom sieve script, then this flaw can be used to bypass this restriction. Since admin privs are used when new mailbox creation is triggerred via the fileinto directive. lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise. Upstream patch: https://github.com/cyrusimap/cyrus-imapd/commit/673ebd96e2efbb8895d08648983377262f35b3f7 Mitigation: This flaw can be mitigated by: 1. In cyrus-imapd >= 2.5 disable anysievefolder (it is disabled by default) 2. In cyrus-imapd >=3.0 disable sieve_extensions This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19783 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4655 https://access.redhat.com/errata/RHSA-2020:4655 |