Bug 746266 (CVE-2009-3897)

Summary: CVE-2009-3897 dovecot: Insecure permissions set for certain directories at installation time
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-06 12:03:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 746273    

Comment 1 Huzaifa S. Sidhpurwala 2011-10-17 09:23:26 UTC
Upstream patch:

http://hg.dovecot.org/dovecot-1.2/rev/3ebbccdc05e6

Comment 2 Huzaifa S. Sidhpurwala 2011-10-17 09:27:18 UTC
rhel-5 uses dovecot-1.0, here is the relevant code snippet:
============================================================

    803 	if (mkdir_parents(set->base_dir, 0777) < 0 && errno != EEXIST) {
    804 		i_error("mkdir(%s) failed: %m", set->base_dir);
    805 		return FALSE;
    806 	}

...

    812 	if ((st.st_mode & 0310) != 0310 || (st.st_mode & 0777) == 0777) {

...
    822 		if (chmod(set->base_dir, 0755) < 0)
    823 			i_error("chmod(%s) failed: %m", set->base_dir);
    824 	}
    825 


Here the base_dir is created with 0777 and then the permission is later changed to 0755

rhel-6 used dovecot-2.0, here:
==============================
    671 	if (mkdir_parents(set->base_dir, 0755) < 0 && errno != EEXIST) {
    672 		i_error("mkdir(%s) failed: %m", set->base_dir);
    673 		return FALSE;
    674 	}

...

    684 	if ((st.st_mode & 0755) != 0755) {
    685 		i_warning("Fixing permissions of %s to be world-readable",
    686 			  set->base_dir);
    687 		if (chmod(set->base_dir, 0755) < 0)
    688 			i_error("chmod(%s) failed: %m", set->base_dir);
    689 	}

and therefore is not affected by this issue

Comment 4 Huzaifa S. Sidhpurwala 2011-10-17 09:43:43 UTC
Statement:

This issue did not affect the version of dovecot shipped with Red Hat Enterprise Linux 6.