Red Hat Bugzilla – Bug 746266
CVE-2009-3897 dovecot: Insecure permissions set for certain directories at installation time
Last modified: 2015-03-09 05:10:21 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3897 to the following vulnerability: Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3897 [2] http://www.dovecot.org/list/dovecot-news/2009-November/000143.html [3] http://marc.info/?l=oss-security&m=125871729029145&w=2 [4] http://marc.info/?l=oss-security&m=125881481222441&w=2 [5] http://marc.info/?l=oss-security&m=125900271508796&w=2 [6] http://marc.info/?l=oss-security&m=125900267208712&w=2 [7] http://www.mandriva.com/security/advisories?name=MDVSA-2009:306 [8] http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html [9] http://www.securityfocus.com/bid/37084 [10] http://www.osvdb.org/60316 [11] http://secunia.com/advisories/37443 [12] http://www.vupen.com/english/advisories/2009/3306 [13] http://xforce.iss.net/xforce/xfdb/54363 [14] http://www.gentoo.org/security/en/glsa/glsa-201110-04.xml [15] http://packetstormsecurity.org/files/view/105775/sa46363.txt
Upstream patch: http://hg.dovecot.org/dovecot-1.2/rev/3ebbccdc05e6
rhel-5 uses dovecot-1.0, here is the relevant code snippet: ============================================================ 803 if (mkdir_parents(set->base_dir, 0777) < 0 && errno != EEXIST) { 804 i_error("mkdir(%s) failed: %m", set->base_dir); 805 return FALSE; 806 } ... 812 if ((st.st_mode & 0310) != 0310 || (st.st_mode & 0777) == 0777) { ... 822 if (chmod(set->base_dir, 0755) < 0) 823 i_error("chmod(%s) failed: %m", set->base_dir); 824 } 825 Here the base_dir is created with 0777 and then the permission is later changed to 0755 rhel-6 used dovecot-2.0, here: ============================== 671 if (mkdir_parents(set->base_dir, 0755) < 0 && errno != EEXIST) { 672 i_error("mkdir(%s) failed: %m", set->base_dir); 673 return FALSE; 674 } ... 684 if ((st.st_mode & 0755) != 0755) { 685 i_warning("Fixing permissions of %s to be world-readable", 686 set->base_dir); 687 if (chmod(set->base_dir, 0755) < 0) 688 i_error("chmod(%s) failed: %m", set->base_dir); 689 } and therefore is not affected by this issue
Statement: This issue did not affect the version of dovecot shipped with Red Hat Enterprise Linux 6.