746266 – (CVE-2009-3897) CVE-2009-3897 dovecot: Insecure permissions set for certain directories at installation time

Bug 746266 (CVE-2009-3897) - CVE-2009-3897 dovecot: Insecure permissions set for certain directories at installation time

Summary: CVE-2009-3897 dovecot: Insecure permissions set for certain directories at in...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2009-3897
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	746273
TreeView+	depends on / blocked

Reported:	2011-10-14 15:07 UTC by Jan Lieskovsky
Modified:	2021-02-24 14:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-03-06 12:03:54 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2011-10-14 15:07:20 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3897 to the following vulnerability:

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself. 

References:
[1]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3897
[2]  http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
[3]  http://marc.info/?l=oss-security&m=125871729029145&w=2
[4]  http://marc.info/?l=oss-security&m=125881481222441&w=2
[5]  http://marc.info/?l=oss-security&m=125900271508796&w=2
[6]  http://marc.info/?l=oss-security&m=125900267208712&w=2
[7]  http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
[8]  http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
[9]  http://www.securityfocus.com/bid/37084
[10] http://www.osvdb.org/60316
[11] http://secunia.com/advisories/37443
[12] http://www.vupen.com/english/advisories/2009/3306
[13] http://xforce.iss.net/xforce/xfdb/54363
[14] http://www.gentoo.org/security/en/glsa/glsa-201110-04.xml
[15] http://packetstormsecurity.org/files/view/105775/sa46363.txt

Comment 1 Huzaifa S. Sidhpurwala 2011-10-17 09:23:26 UTC

Upstream patch:

http://hg.dovecot.org/dovecot-1.2/rev/3ebbccdc05e6

Comment 2 Huzaifa S. Sidhpurwala 2011-10-17 09:27:18 UTC

rhel-5 uses dovecot-1.0, here is the relevant code snippet:
============================================================

    803 	if (mkdir_parents(set->base_dir, 0777) < 0 && errno != EEXIST) {
    804 		i_error("mkdir(%s) failed: %m", set->base_dir);
    805 		return FALSE;
    806 	}

...

    812 	if ((st.st_mode & 0310) != 0310 || (st.st_mode & 0777) == 0777) {

...
    822 		if (chmod(set->base_dir, 0755) < 0)
    823 			i_error("chmod(%s) failed: %m", set->base_dir);
    824 	}
    825 


Here the base_dir is created with 0777 and then the permission is later changed to 0755

rhel-6 used dovecot-2.0, here:
==============================
    671 	if (mkdir_parents(set->base_dir, 0755) < 0 && errno != EEXIST) {
    672 		i_error("mkdir(%s) failed: %m", set->base_dir);
    673 		return FALSE;
    674 	}

...

    684 	if ((st.st_mode & 0755) != 0755) {
    685 		i_warning("Fixing permissions of %s to be world-readable",
    686 			  set->base_dir);
    687 		if (chmod(set->base_dir, 0755) < 0)
    688 			i_error("chmod(%s) failed: %m", set->base_dir);
    689 	}

and therefore is not affected by this issue

Comment 4 Huzaifa S. Sidhpurwala 2011-10-17 09:43:43 UTC

Statement:

This issue did not affect the version of dovecot shipped with Red Hat Enterprise Linux 6.

Note You need to log in before you can comment on or make changes to this bug.