Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4578 to the following vulnerability: The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes. Upstream patch: http://hg.dovecot.org/dovecot-1.1/rev/d2657188377b References: http://www.dovecot.org/list/dovecot-news/2008-October/000085.html http://bugs.gentoo.org/show_bug.cgi?id=240409 http://www.securityfocus.com/bid/31587 http://www.frsirt.com/english/advisories/2008/2745 http://secunia.com/advisories/32164
This issue does not affect Dovecot version as shipped with Red Hat Enterprise Linux 4, as it does not include ACL plugin at all. This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5. However, this does not affect mailbox format used by default -- mbox -- as with this format, it's not possible to create child mailboxes (http://wiki.dovecot.org/MailboxFormat/mbox). However, this affects other non-default mailbox formats, such as Maildir. This is a low impact issue, as it only allows (in certain configurations) IMAP users to create child mailboxes where they should not be allowed to so.
Original report of this problem on the Dovecot mailinglist: http://dovecot.org/list/dovecot/2008-September/033450.html
The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5.