Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?

Joseph Tam jtam.home at gmail.com
Fri Sep 26 00:59:29 UTC 2014


I'm right now handling this beach-ball sized grenade, and trying to
figure out which of our services need to be locked down right away.

Since dovecot passes values via environment variables based on
user input (e.g. username, password, mailbox?) to auxilliary
executables (including possibly bash shell scripts), is dovecot
vulnerable to this exploit?

(This is not a fault of dovecot, but rather bash's inadequate handling
of environment variables.)

For example, injection of this sort

 	1 LOGIN (){x;}exploit-code whatever

I guess auth_username_chars would mitigate this particular attempt (assuming
it can work), but other values such as mailbox names could also be injected
post authentication.

Can someone with working knowlegde of dovecot's internals confirm/deny whether
this is a something that needs to be addressed?

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list