26 Sep
2014
26 Sep
'14
7:29 a.m.
Am 26.09.2014 02:59 schrieb Joseph Tam:
Since dovecot passes values via environment variables based on user input (e.g. username, password, mailbox?) to auxilliary executables (including possibly bash shell scripts), is dovecot vulnerable to this exploit?
Given this article about how e.g. PHP could be vulnerable via popen/system: http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.htm... I can only think about sieve now, when it constructs mail and pipes that to sendmail_path, but I would be surprised if this is using user-input (e.g. script) in environment variables.
I was skimming through Roundcube and didnt find something 'fishy' so far, but that doesnt mean there is nothing ;-).