This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 436927 - (CVE-2008-1199) CVE-2008-1199 dovecot: insecure mail_extra_groups option
CVE-2008-1199 dovecot: insecure mail_extra_groups option
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=vendorsec,reported=20080301,pu...
: Security
Depends On: 437152
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-11 03:52 EDT by Tomas Hoger
Modified: 2008-06-02 10:07 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-02 10:07:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-03-11 03:52:23 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1199 to the following vulnerability:

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

References:

http://www.securityfocus.com/archive/1/archive/1/489133/100/0/threaded
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
http://www.securityfocus.com/bid/28092
http://xforce.iss.net/xforce/xfdb/41009
Comment 2 Tomas Hoger 2008-03-12 12:41:58 EDT
Upstream patch referenced also in BugTraq post mentioned in initial comment:

http://dovecot.org/patches/1.0/dovecot-1.0.10.mail_priv_groups.diff
http://hg.dovecot.org/dovecot-1.0/rev/2c61c3cad1f1
Comment 3 Tomas Hoger 2008-03-12 12:55:17 EDT
Dovecot packages as shipped in Red Hat Enterprise Linux 4 and 5 and Fedora do
not set mail_extra_groups by default.

User mailboxes are created in /var/(spool/)mail/ directory by default.  That
directory is mail-group writable.  Permissions on individual mailbox files may
differ:
- root mailbox is root:root 600
- user mailbox created by useradd is <user>:mail 660, hence mail group writable
  - on RHEL4, mailbox file is created by useradd by default
  - on RHEL5, mailbox file is not created by user add by default, but this may
    change in future updates of shadow-utils package
    (automatic mailbox creation can also be enabled by adding:
     CREATE_MAIL_SPOOL=yes
     to /etc/default/useradd file)
  - user mailbox created by procmail / postfix /... is <user>:mail 600 by
    default

If mail_extra_groups option is set to mail, IMAP users who also have shell
access can possibly read, modify or delete inbox files of other users, which are
stored in /var/mail .

Possible mitigations:
- do not set mail_extra_groups to mail
Comment 6 Fedora Update System 2008-03-13 03:47:24 EDT
dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-03-13 03:49:34 EDT
dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Tomas Hoger 2008-03-13 04:14:02 EDT
Giving this low, as this does not affect default or likely configuration and can
easily be resolved by not setting mail as mail_extra_groups.
Comment 9 Tomas Hoger 2008-06-02 10:07:17 EDT
This issue was resolved for dovecot packages shipped in Red Hat Enterprise Linux
5 in the following errata:

  https://rhn.redhat.com/errata/RHSA-2008-0297.html

As mentioned above, this issue did not affect default configuration of any
dovecot version as shipped in Red Hat Enterprise Linux 4 and 5, and Fedora.  The
risks associated with fixing this bug in dovecot packages in Red Hat Enterprise
Linux 4 are greater than the low severity security risk. We therefore currently
have no plans to fix this flaw in Red Hat Enterprise Linux 4.

Note You need to log in before you can comment on or make changes to this bug.