Bug 436928 (CVE-2008-1218)
Summary: | CVE-2008-1218 dovecot: unauthorized login | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | tjanouse |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1218 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-03-12 17:27:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2008-03-11 07:55:29 UTC
Minimal fix for 1.0 branch: http://hg.dovecot.org/dovecot-1.0/raw-rev/da2a9372e26e This issue does not affect dovecot version as shipped in Red Hat Enterprise Linux 4 (it is pre-1.0 version). This issue can not be used to get password-less login on dovecot package as shipped in Red Hat Enterprise Linux 5 and Fedora, as that was possible using skip_password_check option used by internal dovecot inter-process communication protocol, that was only introduced in version 1.0.11. As mentioned in commnet #3, it was not possible to take advantage of this flaw to get password-less login with Dovecot shipped in Red Hat Enterprise Linux 5, due to skip_password_check option not being supported as valid internal communication protocol issue, as is also noted in the upstream announcement. This issue affects communication between dovecot-auth process and dedicated dovecot-auth worker process. Request where <tab> in the password may cause problems is created by passdb_blocking_verify_plain() in auth/passdb-blocking.c, calling auth_request_export() to write request options. On the other side, worker process parses such request using auth_request_import() function. Only options recognized by auth_request_import(), but not added by auth_request_export(), can be injected. There is only one such option - cert_username - which can only override user-supplied user name. For other options any value injected by an attacker is overridden in auth_request_import() by the value supplied by Dovecot (listed in request after attacker-provided value). An attacker can possibly cause minor memory leak in dovecot-auth worker process. Those worker processes are created and destroyed (even after some period of inactivity) by master Dovecot process as needed. Even if it runs out of memory and crashes, it will be replaced by a new process when needed. Based on the analysis described in comment #4, we do plan to issue updates addressing this issue in dovecot packages shipped in Red Hat Enterprise Linux. dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |