Bug 746266 (CVE-2009-3897)

Summary:	CVE-2009-3897 dovecot: Insecure permissions set for certain directories at installation time
Product:	[Other] Security Response	Reporter:	Jan Lieskovsky <jlieskov>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	jrusnack, mhlavink
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-03-06 12:03:54 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	746273

Description Jan Lieskovsky 2011-10-14 15:07:20 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3897 to the following vulnerability:

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself. 

References:
[1]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3897
[2]  http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
[3]  http://marc.info/?l=oss-security&m=125871729029145&w=2
[4]  http://marc.info/?l=oss-security&m=125881481222441&w=2
[5]  http://marc.info/?l=oss-security&m=125900271508796&w=2
[6]  http://marc.info/?l=oss-security&m=125900267208712&w=2
[7]  http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
[8]  http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
[9]  http://www.securityfocus.com/bid/37084
[10] http://www.osvdb.org/60316
[11] http://secunia.com/advisories/37443
[12] http://www.vupen.com/english/advisories/2009/3306
[13] http://xforce.iss.net/xforce/xfdb/54363
[14] http://www.gentoo.org/security/en/glsa/glsa-201110-04.xml
[15] http://packetstormsecurity.org/files/view/105775/sa46363.txt

Comment 1 Huzaifa S. Sidhpurwala 2011-10-17 09:23:26 UTC

Upstream patch:

http://hg.dovecot.org/dovecot-1.2/rev/3ebbccdc05e6

Comment 2 Huzaifa S. Sidhpurwala 2011-10-17 09:27:18 UTC

rhel-5 uses dovecot-1.0, here is the relevant code snippet:
============================================================

    803 	if (mkdir_parents(set->base_dir, 0777) < 0 && errno != EEXIST) {
    804 		i_error("mkdir(%s) failed: %m", set->base_dir);
    805 		return FALSE;
    806 	}

...

    812 	if ((st.st_mode & 0310) != 0310 || (st.st_mode & 0777) == 0777) {

...
    822 		if (chmod(set->base_dir, 0755) < 0)
    823 			i_error("chmod(%s) failed: %m", set->base_dir);
    824 	}
    825 


Here the base_dir is created with 0777 and then the permission is later changed to 0755

rhel-6 used dovecot-2.0, here:
==============================
    671 	if (mkdir_parents(set->base_dir, 0755) < 0 && errno != EEXIST) {
    672 		i_error("mkdir(%s) failed: %m", set->base_dir);
    673 		return FALSE;
    674 	}

...

    684 	if ((st.st_mode & 0755) != 0755) {
    685 		i_warning("Fixing permissions of %s to be world-readable",
    686 			  set->base_dir);
    687 		if (chmod(set->base_dir, 0755) < 0)
    688 			i_error("chmod(%s) failed: %m", set->base_dir);
    689 	}

and therefore is not affected by this issue

Comment 4 Huzaifa S. Sidhpurwala 2011-10-17 09:43:43 UTC

Statement:

This issue did not affect the version of dovecot shipped with Red Hat Enterprise Linux 6.