Bug 436927 (CVE-2008-1199)

Summary: CVE-2008-1199 dovecot: insecure mail_extra_groups option
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1199
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-02 14:07:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 437152    
Bug Blocks:    

Description Tomas Hoger 2008-03-11 07:52:23 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1199 to the following vulnerability:

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

References:

http://www.securityfocus.com/archive/1/archive/1/489133/100/0/threaded
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
http://www.securityfocus.com/bid/28092
http://xforce.iss.net/xforce/xfdb/41009
Comment 2 Tomas Hoger 2008-03-12 16:41:58 UTC 
Upstream patch referenced also in BugTraq post mentioned in initial comment:

http://dovecot.org/patches/1.0/dovecot-1.0.10.mail_priv_groups.diff
http://hg.dovecot.org/dovecot-1.0/rev/2c61c3cad1f1
Comment 3 Tomas Hoger 2008-03-12 16:55:17 UTC 
Dovecot packages as shipped in Red Hat Enterprise Linux 4 and 5 and Fedora do
not set mail_extra_groups by default.

User mailboxes are created in /var/(spool/)mail/ directory by default.  That
directory is mail-group writable.  Permissions on individual mailbox files may
differ:
- root mailbox is root:root 600
- user mailbox created by useradd is <user>:mail 660, hence mail group writable
  - on RHEL4, mailbox file is created by useradd by default
  - on RHEL5, mailbox file is not created by user add by default, but this may
    change in future updates of shadow-utils package
    (automatic mailbox creation can also be enabled by adding:
     CREATE_MAIL_SPOOL=yes
     to /etc/default/useradd file)
  - user mailbox created by procmail / postfix /... is <user>:mail 600 by
    default

If mail_extra_groups option is set to mail, IMAP users who also have shell
access can possibly read, modify or delete inbox files of other users, which are
stored in /var/mail .

Possible mitigations:
- do not set mail_extra_groups to mail
Comment 6 Fedora Update System 2008-03-13 07:47:24 UTC 
dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-03-13 07:49:34 UTC 
dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Tomas Hoger 2008-03-13 08:14:02 UTC 
Giving this low, as this does not affect default or likely configuration and can
easily be resolved by not setting mail as mail_extra_groups.
Comment 9 Tomas Hoger 2008-06-02 14:07:17 UTC 
This issue was resolved for dovecot packages shipped in Red Hat Enterprise Linux
5 in the following errata:

  https://rhn.redhat.com/errata/RHSA-2008-0297.html

As mentioned above, this issue did not affect default configuration of any
dovecot version as shipped in Red Hat Enterprise Linux 4 and 5, and Fedora.  The
risks associated with fixing this bug in dovecot packages in Red Hat Enterprise
Linux 4 are greater than the low severity security risk. We therefore currently
have no plans to fix this flaw in Red Hat Enterprise Linux 4.