[Dovecot-news] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)
Stephan Bosch
stephan at rename-it.nl
Mon Nov 17 21:45:33 EET 2008
Hello,
While updating the ManageSieve implementation to the latest draft
specification I noticed a major omission in the way script names are
handled. Essentially, script names are directly appended to the sieve
storage directory path and suffixed with '.sieve'. This does not take
the use of '../' in script names into account. Therefore, clever virtual
users that know the directory structure of the server can read and edit
script files of other virtual users with the same system uid. The added
'.sieve' suffix prevents further security breach, because only sieve
scripts are accessible this way. Note that of course any publicly
accessible sieve script is also affected.
I am sorry to report that this bug was introduced pretty much from the
start, meaning that all versions of the ManageSieve patch/package are
affected.
To quickly resolve this issue, I provide patches against the existing
releases and I release new versions for Dovecot v1.1 through v1.2. The
security patches against the existing releases are very small and should
therefore also apply to older versions or can be adjusted to apply
cleanly with relative ease.
The security patches are available as follows:
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch.sig
http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch
http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch.sig
http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch
http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch.sig
The security patch for v1.0 is applied against the patched Dovecot tree,
while patches for v1.1 and v1.2 are applied against the ManageSieve
package.
The new releases are available as follows (v1.1 and v1.2 versions have
additional changes, read the NEWS files for more info):
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz.sig
http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz
http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz.sig
http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz
http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz.sig
Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid
confusion, but an existing patched Dovecot should work fine.
I hope package maintainers will quickly incorporate the security patches
to get rid of this stupidity as soon as possible.
Don't hesitate to notify me when there are problems!
Regards,
--
Stephan Bosch
stephan at rename-it.nl
More information about the Dovecot-news
mailing list