While updating the ManageSieve implementation to the latest draft specification I noticed a major omission in the way script names are handled. Essentially, script names are directly appended to the sieve storage directory path and suffixed with '.sieve'. This does not take the use of '../' in script names into account. Therefore, clever virtual users that know the directory structure of the server can read and edit script files of other virtual users with the same system uid. The added '.sieve' suffix prevents further security breach, because only sieve scripts are accessible this way. Note that of course any publicly accessible sieve script is also affected.
I am sorry to report that this bug was introduced pretty much from the start, meaning that all versions of the ManageSieve patch/package are affected.
To quickly resolve this issue, I provide patches against the existing releases and I release new versions for Dovecot v1.1 through v1.2. The security patches against the existing releases are very small and should therefore also apply to older versions or can be adjusted to apply cleanly with relative ease.
The security patches are available as follows:
The security patch for v1.0 is applied against the patched Dovecot tree, while patches for v1.1 and v1.2 are applied against the ManageSieve package.
The new releases are available as follows (v1.1 and v1.2 versions have additional changes, read the NEWS files for more info):
Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid confusion, but an existing patched Dovecot should work fine.
I hope package maintainers will quickly incorporate the security patches to get rid of this stupidity as soon as possible.
Don't hesitate to notify me when there are problems!