Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1199 to the following vulnerability: Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack. References: http://www.securityfocus.com/archive/1/archive/1/489133/100/0/threaded http://www.dovecot.org/list/dovecot-news/2008-March/000061.html http://www.securityfocus.com/bid/28092 http://xforce.iss.net/xforce/xfdb/41009
Upstream patch referenced also in BugTraq post mentioned in initial comment: http://dovecot.org/patches/1.0/dovecot-1.0.10.mail_priv_groups.diff http://hg.dovecot.org/dovecot-1.0/rev/2c61c3cad1f1
Dovecot packages as shipped in Red Hat Enterprise Linux 4 and 5 and Fedora do not set mail_extra_groups by default. User mailboxes are created in /var/(spool/)mail/ directory by default. That directory is mail-group writable. Permissions on individual mailbox files may differ: - root mailbox is root:root 600 - user mailbox created by useradd is <user>:mail 660, hence mail group writable - on RHEL4, mailbox file is created by useradd by default - on RHEL5, mailbox file is not created by user add by default, but this may change in future updates of shadow-utils package (automatic mailbox creation can also be enabled by adding: CREATE_MAIL_SPOOL=yes to /etc/default/useradd file) - user mailbox created by procmail / postfix /... is <user>:mail 600 by default If mail_extra_groups option is set to mail, IMAP users who also have shell access can possibly read, modify or delete inbox files of other users, which are stored in /var/mail . Possible mitigations: - do not set mail_extra_groups to mail
dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Giving this low, as this does not affect default or likely configuration and can easily be resolved by not setting mail as mail_extra_groups.
This issue was resolved for dovecot packages shipped in Red Hat Enterprise Linux 5 in the following errata: https://rhn.redhat.com/errata/RHSA-2008-0297.html As mentioned above, this issue did not affect default configuration of any dovecot version as shipped in Red Hat Enterprise Linux 4 and 5, and Fedora. The risks associated with fixing this bug in dovecot packages in Red Hat Enterprise Linux 4 are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 4.