Bug 467436 (CVE-2008-4577)

Summary: CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, dan, jrusnack, kreilly, kseifried, mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4577
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 20:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 469015    
Bug Blocks:    

Description Tomas Hoger 2008-10-17 14:05:46 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4577 to the following vulnerability:

The ACL plugin in Dovecot before 1.1.4 treats negative access rights
as if they are positive access rights, which allows attackers to
bypass intended access restrictions.

Upstream patch:
http://hg.dovecot.org/dovecot-1.1/rev/aac3b42f3f8a

References:
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://bugs.gentoo.org/show_bug.cgi?id=240409
http://www.securityfocus.com/bid/31587
http://www.frsirt.com/english/advisories/2008/2745
http://secunia.com/advisories/32164
Comment 3 Tomas Hoger 2008-10-21 12:47:58 UTC 
This issue does not affect Dovecot version as shipped with Red Hat Enterprise Linux 4, as it does not include ACL plugin at all.

This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5.  This flaw can possibly allow IMAP users to bypass intended access restrictions, however as the negative ACLs do not seem to be documented in the upstream documentation (http://wiki.dovecot.org/ACL), they are not very likely to be used and can easily be worked-around by being replace with positive ACLs.  Therefore, this will be treated as low impact security issue.
Comment 4 Tomas Hoger 2008-10-21 12:59:04 UTC 
Public report on the Dovecot mailinglist:

http://dovecot.org/list/dovecot/2008-September/033475.html
Comment 5 Fedora Update System 2008-10-29 09:01:13 UTC 
dovecot-1.0.15-14.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc9
Comment 6 Fedora Update System 2008-10-29 09:02:34 UTC 
dovecot-1.0.15-14.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc8
Comment 8 Fedora Update System 2008-10-30 12:49:02 UTC 
dovecot-1.0.15-14.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-10-30 12:51:53 UTC 
dovecot-1.0.15-14.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Kurt Seifried 2011-09-30 20:48:23 UTC 
This issue has been addressed in following products:

  RHEL Desktop Workstation (v. 5 client)
  Red Hat Enterprise Linux (v. 5 server)
  
Via RHSA-2009:0205 available at https://rhn.redhat.com/errata/RHSA-2009-0205.html