Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?
Stephan Bosch
stephan at rename-it.nl
Fri Sep 26 08:26:23 UTC 2014
On 9/26/2014 6:29 AM, Philipp wrote:
> Am 26.09.2014 02:59 schrieb Joseph Tam:
>> Since dovecot passes values via environment variables based on
>> user input (e.g. username, password, mailbox?) to auxilliary
>> executables (including possibly bash shell scripts), is dovecot
>> vulnerable to this exploit?
>
> Given this article about how e.g. PHP could be vulnerable via
> popen/system:
> http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.html
>
> I can only think about sieve now, when it constructs mail and pipes
> that to sendmail_path,
> but I would be surprised if this is using user-input (e.g. script) in
> environment variables.
I don't see much of an attack vector there either. However, there are
some people that have wrapped /usr/sbin/sendmail in a shell script to
achieve some sort of custom messaging behavior. Those would be vulnerable.
Another possibility for trouble would be systems using the Pigeonhole
extprograms plugin with shell scripts.
Other than that, Pigeonhole doesn't invoke other executables while
executing a Sieve script.
Regards,
Stephan.
More information about the dovecot
mailing list