Bug 467437 – CVE-2008-4578 dovecot: bypass of the 'k' right in the ACL plugin

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 467437 - (CVE-2008-4578) CVE-2008-4578 dovecot: bypass of the 'k' right in the ACL plugin

Summary:	CVE-2008-4578 dovecot: bypass of the 'k' right in the ACL plugin

Status:	CLOSED WONTFIX

Aliases:	CVE-2008-4578

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:	reported=20081007,public=20081005,sou...
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-10-17 10:16 EDT by Tomas Hoger
Modified:	2008-10-24 14:49 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-10-24 14:49:00 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2008-10-17 10:16:13 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4578 to the following vulnerability:

The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass
intended access restrictions by using the "k" right to create
unauthorized "parent/child/child" mailboxes.

Upstream patch:
http://hg.dovecot.org/dovecot-1.1/rev/d2657188377b

References:
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://bugs.gentoo.org/show_bug.cgi?id=240409
http://www.securityfocus.com/bid/31587
http://www.frsirt.com/english/advisories/2008/2745
http://secunia.com/advisories/32164

Comment 2 Tomas Hoger 2008-10-21 08:55:43 EDT

This issue does not affect Dovecot version as shipped with Red Hat Enterprise
Linux 4, as it does not include ACL plugin at all.

This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5.  However, this does not affect mailbox format used by default -- mbox -- as with this format, it's not possible to create child mailboxes (http://wiki.dovecot.org/MailboxFormat/mbox).  However, this affects other non-default mailbox formats, such as Maildir.

This is a low impact issue, as it only allows (in certain configurations) IMAP users to create child mailboxes where they should not be allowed to so.

Comment 3 Tomas Hoger 2008-10-21 08:57:06 EDT

Original report of this problem on the Dovecot mailinglist:

http://dovecot.org/list/dovecot/2008-September/033450.html

Comment 4 Josh Bressers 2008-10-24 14:49:00 EDT

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5.

Note You need to log in before you can comment on or make changes to this bug.