Bug 467436 (CVE-2008-4577) - CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin
Summary: CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin
Status: CLOSED ERRATA
Alias: CVE-2008-4577
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: reported=20081007,public=20081005,sou...
Keywords: Security
Depends On: 469015
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-17 14:05 UTC by Tomas Hoger
Modified: 2016-03-01 09:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-30 20:48:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0205 normal SHIPPED_LIVE Low: dovecot security and bug fix update 2009-01-20 16:06:11 UTC

Description Tomas Hoger 2008-10-17 14:05:46 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4577 to the following vulnerability:

The ACL plugin in Dovecot before 1.1.4 treats negative access rights
as if they are positive access rights, which allows attackers to
bypass intended access restrictions.

Upstream patch:
http://hg.dovecot.org/dovecot-1.1/rev/aac3b42f3f8a

References:
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://bugs.gentoo.org/show_bug.cgi?id=240409
http://www.securityfocus.com/bid/31587
http://www.frsirt.com/english/advisories/2008/2745
http://secunia.com/advisories/32164

Comment 3 Tomas Hoger 2008-10-21 12:47:58 UTC
This issue does not affect Dovecot version as shipped with Red Hat Enterprise Linux 4, as it does not include ACL plugin at all.

This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5.  This flaw can possibly allow IMAP users to bypass intended access restrictions, however as the negative ACLs do not seem to be documented in the upstream documentation (http://wiki.dovecot.org/ACL), they are not very likely to be used and can easily be worked-around by being replace with positive ACLs.  Therefore, this will be treated as low impact security issue.

Comment 4 Tomas Hoger 2008-10-21 12:59:04 UTC
Public report on the Dovecot mailinglist:

http://dovecot.org/list/dovecot/2008-September/033475.html

Comment 5 Fedora Update System 2008-10-29 09:01:13 UTC
dovecot-1.0.15-14.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc9

Comment 6 Fedora Update System 2008-10-29 09:02:34 UTC
dovecot-1.0.15-14.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc8

Comment 8 Fedora Update System 2008-10-30 12:49:02 UTC
dovecot-1.0.15-14.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-10-30 12:51:53 UTC
dovecot-1.0.15-14.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Kurt Seifried 2011-09-30 20:48:23 UTC
This issue has been addressed in following products:

  RHEL Desktop Workstation (v. 5 client)
  Red Hat Enterprise Linux (v. 5 server)
  
Via RHSA-2009:0205 available at https://rhn.redhat.com/errata/RHSA-2009-0205.html


Note You need to log in before you can comment on or make changes to this bug.