[Dovecot] Security holes in CMU Sieve plugin

Timo Sirainen tss at iki.fi
Mon Sep 14 02:56:22 EEST 2009


A recently found security hole in Cyrus Sieve exists also in Dovecot,
because Dovecot's Sieve plugin is based on libsieve from Cyrus project.
I also found and fixed a few additional buffer overflows that I can't
really understand why I hadn't noticed/fixed before.

This security hole affects all installations that give their users any
kind of ability to modify their Sieve scripts. Even if you give only
limited access it might be enough for an attacker. For example
forwarding a user's mails to about 100 addresses should do the trick.

Since these are buffer overflows for variables in stack, they're very
likely exploitable and allow attackers to execute arbitrary code as the
user.

Note that this security hole doesn't exist in Stephan Bosch's excellent
new Sieve plugin for Dovecot v1.2. I encourage everyone to switch to
using it as soon as possible. Who knows what other holes still lurk in
libsieve.

The bugs are fixed in v1.1.7 release for Dovecot v1.1+:

http://dovecot.org/releases/sieve/dovecot-sieve-1.1.7.tar.gz
http://dovecot.org/releases/sieve/dovecot-sieve-1.1.7.tar.gz.sig

and in v1.0.4 release for Dovecot v1.0:

http://dovecot.org/releases/sieve/dovecot-sieve-1.0.4.tar.gz
http://dovecot.org/releases/sieve/dovecot-sieve-1.0.4.tar.gz.sig

You can also get them as a patch:

http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628
http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090913/ecd34a06/attachment.bin 


More information about the dovecot mailing list