Red Hat Bugzilla – Bug 1028589
CVE-2013-6171 dovecot: passdb checkpassword authentication local bypass
Last modified: 2014-06-13 06:17:34 EDT
Timo Sirainen reports:
Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
From the dovecot wiki:
The standard checkpassword design is incompatible with Dovecot's security
model. If the system has local users and the checkpassword script setuid()s
into a local user, the user is able to ptrace into the communication and
change the authentication results. This is of course undesirable, so v2.2.7+
will just refuse to run in such environments by default. The possibilities to
solve this are:
If possible, change the checkpassword to return userdb_uid and userdb_gid
extra fields instead of using setuid() and setgid(). This also improves the
If you can't change the script, you can make Dovecot's checkpassword-reply
binary setuid or setgid (e.g.
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply;
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply)
If you don't have any untrusted local users and you just don't care about this
check, you can set INSECURE_SETUID=1 environment e.g. with a wrapper
We don't support this. If somebody decides to use this functionality/script, it'll be their responsibility to implement this safely.
Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 5, 6 and 7.