Bug 1028589 - (CVE-2013-6171) CVE-2013-6171 dovecot: passdb checkpassword authentication local bypass
CVE-2013-6171 dovecot: passdb checkpassword authentication local bypass
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1028590
  Show dependency treegraph
Reported: 2013-11-08 15:04 EST by Kurt Seifried
Modified: 2014-06-13 06:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 06:17:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-11-08 15:04:46 EST
Timo Sirainen reports:

Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security

From the dovecot wiki:


The standard checkpassword design is incompatible with Dovecot's security 
model. If the system has local users and the checkpassword script setuid()s 
into a local user, the user is able to ptrace into the communication and 
change the authentication results. This is of course undesirable, so v2.2.7+ 
will just refuse to run in such environments by default. The possibilities to 
solve this are:

If possible, change the checkpassword to return userdb_uid and userdb_gid 
extra fields instead of using setuid() and setgid(). This also improves the 

If you can't change the script, you can make Dovecot's checkpassword-reply 
binary setuid or setgid (e.g. 
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply; 
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply)

If you don't have any untrusted local users and you just don't care about this 
check, you can set INSECURE_SETUID=1 environment e.g. with a wrapper 
checkpassword script.

External references:
Comment 2 Stefan Cornelius 2014-06-13 06:17:34 EDT
We don't support this. If somebody decides to use this functionality/script, it'll be their responsibility to implement this safely.


Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.