[Dovecot-news] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)

[Stephan Bosch]

Hello,

While updating the ManageSieve implementation to the latest draft 
specification I noticed a major omission in the way script names are 
handled. Essentially, script names are directly appended to the sieve 
storage directory path and suffixed with '.sieve'. This does not take 
the use of '../' in script names into account. Therefore, clever virtual 
users that know the directory structure of the server can read and edit 
script files of other virtual users with the same system uid. The added 
'.sieve' suffix prevents further security breach, because only sieve 
scripts are accessible this way. Note that of course any publicly 
accessible sieve script is also affected.

I am sorry to report that this bug was introduced pretty much from the 
start, meaning that all versions of the ManageSieve patch/package are 
affected.

To quickly resolve this issue, I provide patches against the existing 
releases and I release new versions for Dovecot v1.1 through v1.2. The 
security patches against the existing releases are very small and should 
therefore also apply to older versions or can be adjusted to apply 
cleanly with relative ease.

The security patches are available as follows:

http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch.sig

http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch
http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch.sig

http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch
http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch.sig

The security patch for v1.0 is applied against the patched Dovecot tree, 
while patches for v1.1 and v1.2 are applied against the ManageSieve 
package.

The new releases are available as follows (v1.1 and v1.2 versions have 
additional changes, read the NEWS files for more info):

http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz.sig 


http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz
http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz.sig

http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz
http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz.sig

Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid 
confusion, but an existing patched Dovecot should work fine.

I hope package maintainers will quickly incorporate the security patches 
to get rid of this stupidity as soon as possible.

Don't hesitate to notify me when there are problems!

Regards,

-- 
Stephan Bosch
stephan at rename-it.nl