Bug 640410 (CVE-2010-3707)

Summary: CVE-2010-3707 Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 14:04:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 654226    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-05 19:01:45 UTC 
A security flaw was found in the way Dovecot mail server updated
own Access Control List (ACL) cache, when multiple rules were
used for definition of rights for one particular subject (more
common rule was applied instead of restricted rights set). Due
this deficiency intended ACL rights for certain users were not
applied correctly, allowing the users to perform certain tasks
despite of the form of a ACL rights configuration file.

References:
[1] http://www.dovecot.org/list/dovecot/2010-October/053450.html
[2] http://www.dovecot.org/list/dovecot/2010-October/053452.html
[3] http://wiki.dovecot.org/ACL
Comment 1 Jan Lieskovsky 2010-10-05 19:04:36 UTC 
Upstream changeset:
[4] http://hg.dovecot.org/dovecot-1.2/rev/fd607e10e75d
Comment 2 Jan Lieskovsky 2010-10-05 19:07:52 UTC 
This issue did NOT affect the version of the dovecot package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the version of the dovecot package, as shipped
with Red Hat Enterprise Linux 6.
Comment 5 Huzaifa S. Sidhpurwala 2010-11-17 09:27:06 UTC 
Statement:

This issue did not affect the version of dovecot package, as shipped with Red
Hat Enterprise Linux 4 and 5. This issue affects the version of dovecot
package as shipped with Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this issue as having low security impact, a future
update may address this flaw.
Comment 7 errata-xmlrpc 2011-05-19 11:47:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0600 https://rhn.redhat.com/errata/RHSA-2011-0600.html