Bug 436927 (CVE-2008-1199) - CVE-2008-1199 dovecot: insecure mail_extra_groups option
Summary: CVE-2008-1199 dovecot: insecure mail_extra_groups option
Alias: CVE-2008-1199
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: source=vendorsec,reported=20080301,pu...
Keywords: Security
Depends On: 437152
TreeView+ depends on / blocked
Reported: 2008-03-11 07:52 UTC by Tomas Hoger
Modified: 2008-06-02 14:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-02 14:07:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0297 normal SHIPPED_LIVE Low: dovecot security and bug fix update 2008-05-21 14:20:08 UTC

Description Tomas Hoger 2008-03-11 07:52:23 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1199 to the following vulnerability:

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.



Comment 2 Tomas Hoger 2008-03-12 16:41:58 UTC
Upstream patch referenced also in BugTraq post mentioned in initial comment:


Comment 3 Tomas Hoger 2008-03-12 16:55:17 UTC
Dovecot packages as shipped in Red Hat Enterprise Linux 4 and 5 and Fedora do
not set mail_extra_groups by default.

User mailboxes are created in /var/(spool/)mail/ directory by default.  That
directory is mail-group writable.  Permissions on individual mailbox files may
- root mailbox is root:root 600
- user mailbox created by useradd is <user>:mail 660, hence mail group writable
  - on RHEL4, mailbox file is created by useradd by default
  - on RHEL5, mailbox file is not created by user add by default, but this may
    change in future updates of shadow-utils package
    (automatic mailbox creation can also be enabled by adding:
     to /etc/default/useradd file)
  - user mailbox created by procmail / postfix /... is <user>:mail 600 by

If mail_extra_groups option is set to mail, IMAP users who also have shell
access can possibly read, modify or delete inbox files of other users, which are
stored in /var/mail .

Possible mitigations:
- do not set mail_extra_groups to mail

Comment 6 Fedora Update System 2008-03-13 07:47:24 UTC
dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2008-03-13 07:49:34 UTC
dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Tomas Hoger 2008-03-13 08:14:02 UTC
Giving this low, as this does not affect default or likely configuration and can
easily be resolved by not setting mail as mail_extra_groups.

Comment 9 Tomas Hoger 2008-06-02 14:07:17 UTC
This issue was resolved for dovecot packages shipped in Red Hat Enterprise Linux
5 in the following errata:


As mentioned above, this issue did not affect default configuration of any
dovecot version as shipped in Red Hat Enterprise Linux 4 and 5, and Fedora.  The
risks associated with fixing this bug in dovecot packages in Red Hat Enterprise
Linux 4 are greater than the low severity security risk. We therefore currently
have no plans to fix this flaw in Red Hat Enterprise Linux 4.

Note You need to log in before you can comment on or make changes to this bug.