640401 – (CVE-2010-3706) CVE-2010-3706 Dovecot: Failed to update ACL cache for mailboxes stored in private namespace

Bug 640401 (CVE-2010-3706) - CVE-2010-3706 Dovecot: Failed to update ACL cache for mailboxes stored in private namespace

Summary: CVE-2010-3706 Dovecot: Failed to update ACL cache for mailboxes stored in pri...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2010-3706
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-10-05 18:24 UTC by Jan Lieskovsky
Modified:	2021-02-24 22:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:57:19 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2010-10-05 18:24:35 UTC

A security flaw was found in the way Dovecot IMAP server
updated own Access Control List (ACL) cache for rules
specifying user rights on mailboxes stored in the private
namespace of the particular user. A local attacker could
use this flaw to prevent the mailbox administrator to restrict
the ACL rule via a symlink attack on the shared mailbox.

References:
[1] http://www.dovecot.org/list/dovecot/2010-October/053450.html
[2] http://www.dovecot.org/list/dovecot/2010-October/053452.html
[3] http://wiki.dovecot.org/ACL

Comment 3 Huzaifa S. Sidhpurwala 2010-11-17 03:55:58 UTC

Statement:

Not vulnerable. This issue did not affect the versions of dovecot as
shipped with Red Hat Enterprise Linux 4, 5 or 6.

Note You need to log in before you can comment on or make changes to this bug.