[sisyphus] I: security problem in managesieved in dovecot1.2-v1.2-alt1_alpha3
=?iso-8859-1?q?seriv_=CE=C1_parkheights=2Edyndns=2Eorg?=
=?iso-8859-1?q?seriv_=CE=C1_parkheights=2Edyndns=2Eorg?=
Вт Ноя 18 20:03:09 MSK 2008
Всем привет!
В dovecot-1.2-v1.2-alt1_alpha3 в managesieve - проблема с безопасностью для виртуальных пользователей.
Хитрый виртуальный пользователь используя последовательность '../' в имени sieve фильтра может читать и модифицировать фильтры других виртуальных пользователей. Например, незаметно для них пересылая их почту недоброжелателям.
Отправленный мною вчера в incoming пакет dovecot1.2-v1.2-alt2_alpha3 содержал ошибку, в результате которой managesive в нём неработоспособен.
Сегодня эта ошибка исправлена и в incoming направлен пакет dovecot1.2-v1.2-alt3_alpha3, до которого всем и предлагается обновиться.
--
Сергей
Fwd: [Dovecot] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)
----- "Stephan Bosch" <stephan на rename-it.nl> wrote:
> Hello,
>
> While updating the ManageSieve implementation to the latest draft
> specification I noticed a major omission in the way script names are
> handled. Essentially, script names are directly appended to the sieve
>
> storage directory path and suffixed with '.sieve'. This does not take
>
> the use of '../' in script names into account. Therefore, clever
> virtual
> users that know the directory structure of the server can read and
> edit
> script files of other virtual users with the same system uid. The
> added
> '.sieve' suffix prevents further security breach, because only sieve
> scripts are accessible this way. Note that of course any publicly
> accessible sieve script is also affected.
>
> I am sorry to report that this bug was introduced pretty much from the
>
> start, meaning that all versions of the ManageSieve patch/package are
>
> affected.
>
> To quickly resolve this issue, I provide patches against the existing
>
> releases and I release new versions for Dovecot v1.1 through v1.2. The
>
> security patches against the existing releases are very small and
> should
> therefore also apply to older versions or can be adjusted to apply
> cleanly with relative ease.
>
> The security patches are available as follows:
>
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch.sig
>
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch.sig
>
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch.sig
>
> The security patch for v1.0 is applied against the patched Dovecot
> tree,
> while patches for v1.1 and v1.2 are applied against the ManageSieve
> package.
>
> The new releases are available as follows (v1.1 and v1.2 versions have
>
> additional changes, read the NEWS files for more info):
>
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz.sig
>
>
>
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz.sig
>
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz.sig
>
> Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid
>
> confusion, but an existing patched Dovecot should work fine.
>
> I hope package maintainers will quickly incorporate the security
> patches
> to get rid of this stupidity as soon as possible.
>
> Don't hesitate to notify me when there are problems!
>
> Regards,
>
> --
> Stephan Bosch
> stephan на rename-it.nl
Подробная информация о списке рассылки Sisyphus