A recently found security hole in Cyrus Sieve exists also in Dovecot, because Dovecot's Sieve plugin is based on libsieve from Cyrus project. I also found and fixed a few additional buffer overflows that I can't really understand why I hadn't noticed/fixed before.
This security hole affects all installations that give their users any kind of ability to modify their Sieve scripts. Even if you give only limited access it might be enough for an attacker. For example forwarding a user's mails to about 100 addresses should do the trick.
Since these are buffer overflows for variables in stack, they're very likely exploitable and allow attackers to execute arbitrary code as the user.
Note that this security hole doesn't exist in Stephan Bosch's excellent new Sieve plugin for Dovecot v1.2. I encourage everyone to switch to using it as soon as possible. Who knows what other holes still lurk in libsieve.
The bugs are fixed in v1.1.7 release for Dovecot v1.1+:
http://dovecot.org/releases/sieve/dovecot-sieve-1.1.7.tar.gz http://dovecot.org/releases/sieve/dovecot-sieve-1.1.7.tar.gz.sig
and in v1.0.4 release for Dovecot v1.0:
http://dovecot.org/releases/sieve/dovecot-sieve-1.0.4.tar.gz http://dovecot.org/releases/sieve/dovecot-sieve-1.0.4.tar.gz.sig
You can also get them as a patch:
http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628 http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d