[Sysadmins] I: security problem in managesieved in dovecot1.2-v1.2-alt1_alpha3

=?iso-8859-1?q?seriv_=CE=C1_parkheights=2Edyndns=2Eorg?= =?iso-8859-1?q?seriv_=CE=C1_parkheights=2Edyndns=2Eorg?=
Вт Ноя 18 20:03:09 MSK 2008


Всем привет!
В dovecot-1.2-v1.2-alt1_alpha3 в managesieve - проблема с безопасностью для виртуальных пользователей. 
Хитрый виртуальный пользователь используя последовательность '../' в имени sieve фильтра может читать и модифицировать фильтры других виртуальных пользователей. Например, незаметно для них пересылая их почту недоброжелателям.

Отправленный мною вчера в incoming пакет dovecot1.2-v1.2-alt2_alpha3 содержал ошибку, в результате которой managesive в нём неработоспособен.
Сегодня эта ошибка исправлена и в incoming направлен пакет dovecot1.2-v1.2-alt3_alpha3, до которого всем и предлагается обновиться.
--
  Сергей


Fwd: [Dovecot] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)
----- "Stephan Bosch" <stephan на rename-it.nl> wrote:

> Hello,
> 
> While updating the ManageSieve implementation to the latest draft 
> specification I noticed a major omission in the way script names are 
> handled. Essentially, script names are directly appended to the sieve
> 
> storage directory path and suffixed with '.sieve'. This does not take
> 
> the use of '../' in script names into account. Therefore, clever
> virtual 
> users that know the directory structure of the server can read and
> edit 
> script files of other virtual users with the same system uid. The
> added 
> '.sieve' suffix prevents further security breach, because only sieve 
> scripts are accessible this way. Note that of course any publicly 
> accessible sieve script is also affected.
> 
> I am sorry to report that this bug was introduced pretty much from the
> 
> start, meaning that all versions of the ManageSieve patch/package are
> 
> affected.
> 
> To quickly resolve this issue, I provide patches against the existing
> 
> releases and I release new versions for Dovecot v1.1 through v1.2. The
> 
> security patches against the existing releases are very small and
> should 
> therefore also apply to older versions or can be adjusted to apply 
> cleanly with relative ease.
> 
> The security patches are available as follows:
> 
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch.sig
> 
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch.sig
> 
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch.sig
> 
> The security patch for v1.0 is applied against the patched Dovecot
> tree, 
> while patches for v1.1 and v1.2 are applied against the ManageSieve 
> package.
> 
> The new releases are available as follows (v1.1 and v1.2 versions have
> 
> additional changes, read the NEWS files for more info):
> 
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz
> http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz.sig
> 
> 
> 
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz
> http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz.sig
> 
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz
> http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz.sig
> 
> Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid
> 
> confusion, but an existing patched Dovecot should work fine.
> 
> I hope package maintainers will quickly incorporate the security
> patches 
> to get rid of this stupidity as soon as possible.
> 
> Don't hesitate to notify me when there are problems!
> 
> Regards,
> 
> -- 
> Stephan Bosch
> stephan на rename-it.nl


Подробная информация о списке рассылки Sysadmins