Bug 467436 - (CVE-2008-4577) CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin
CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
reported=20081007,public=20081005,sou...
: Security
Depends On: 469015
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-17 10:05 EDT by Tomas Hoger
Modified: 2016-03-01 04:27 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-30 16:48:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-10-17 10:05:46 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4577 to the following vulnerability:

The ACL plugin in Dovecot before 1.1.4 treats negative access rights
as if they are positive access rights, which allows attackers to
bypass intended access restrictions.

Upstream patch:
http://hg.dovecot.org/dovecot-1.1/rev/aac3b42f3f8a

References:
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://bugs.gentoo.org/show_bug.cgi?id=240409
http://www.securityfocus.com/bid/31587
http://www.frsirt.com/english/advisories/2008/2745
http://secunia.com/advisories/32164
Comment 3 Tomas Hoger 2008-10-21 08:47:58 EDT
This issue does not affect Dovecot version as shipped with Red Hat Enterprise Linux 4, as it does not include ACL plugin at all.

This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5.  This flaw can possibly allow IMAP users to bypass intended access restrictions, however as the negative ACLs do not seem to be documented in the upstream documentation (http://wiki.dovecot.org/ACL), they are not very likely to be used and can easily be worked-around by being replace with positive ACLs.  Therefore, this will be treated as low impact security issue.
Comment 4 Tomas Hoger 2008-10-21 08:59:04 EDT
Public report on the Dovecot mailinglist:

http://dovecot.org/list/dovecot/2008-September/033475.html
Comment 5 Fedora Update System 2008-10-29 05:01:13 EDT
dovecot-1.0.15-14.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc9
Comment 6 Fedora Update System 2008-10-29 05:02:34 EDT
dovecot-1.0.15-14.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc8
Comment 8 Fedora Update System 2008-10-30 08:49:02 EDT
dovecot-1.0.15-14.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-10-30 08:51:53 EDT
dovecot-1.0.15-14.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Kurt Seifried 2011-09-30 16:48:23 EDT
This issue has been addressed in following products:

  RHEL Desktop Workstation (v. 5 client)
  Red Hat Enterprise Linux (v. 5 server)
  
Via RHSA-2009:0205 available at https://rhn.redhat.com/errata/RHSA-2009-0205.html

Note You need to log in before you can comment on or make changes to this bug.