Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?

Philipp e1c1bac6253dc54a1e89ddc046585792 at posteo.net
Fri Sep 26 04:29:20 UTC 2014


Am 26.09.2014 02:59 schrieb Joseph Tam:
> Since dovecot passes values via environment variables based on
> user input (e.g. username, password, mailbox?) to auxilliary
> executables (including possibly bash shell scripts), is dovecot
> vulnerable to this exploit?

Given this article about how e.g. PHP could be vulnerable via 
popen/system:
http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.html
I can only think about sieve now, when it constructs mail and pipes that 
to sendmail_path,
but I would be surprised if this is using user-input (e.g. script) in 
environment variables.

I was skimming through Roundcube and didnt find something 'fishy' so 
far, but that
doesnt mean there is nothing ;-).


More information about the dovecot mailing list