[Dovecot] Security Hole in 1.0.13?
Timo Sirainen
tss at iki.fi
Sun May 18 14:07:17 EEST 2008
On Sun, 2008-05-18 at 12:45 +0200, Matthias Andree wrote:
> On Sun, 18 May 2008, Timo Sirainen wrote:
>
> > > passdb vpopmail {
> > > #args =
> > > }
> >
> > vpopmail would be one possibility, I have some doubts about its
> > security.
>
> Can you detail the spots you deem could take some more observation or
> investigation?
I haven't looked at its code for several years now, but when I was
implementing support for it the code didn't look all that secure. For
example I had to add a workaround to Dovecot to make it work at all,
because parse_email() didn't correctly NUL-terminate the output string:
/* vpop_user must be zero-filled or parse_email() leaves an
extra character after the user name. we'll fill vpop_domain
as well just to be sure... */
memset(vpop_user, '\0', VPOPMAIL_LIMIT);
memset(vpop_domain, '\0', VPOPMAIL_LIMIT);
if (parse_email(request->user, vpop_user, vpop_domain,
VPOPMAIL_LIMIT-1) < 0) {
Also a quick look at its sources again shows that it uses strncpy() and
strncat() wrong pretty much everywhere. Especially the strncat() calls
are no better at protecting against buffer overflows than strcat().. But
I don't know if any of these are actually exploitable. Probably not.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080518/7fdbd14d/attachment.bin
More information about the dovecot
mailing list