I'm right now handling this beach-ball sized grenade, and trying to figure out which of our services need to be locked down right away.
Since dovecot passes values via environment variables based on user input (e.g. username, password, mailbox?) to auxilliary executables (including possibly bash shell scripts), is dovecot vulnerable to this exploit?
(This is not a fault of dovecot, but rather bash's inadequate handling of environment variables.)
For example, injection of this sort
1 LOGIN (){x;}exploit-code whateverI guess auth_username_chars would mitigate this particular attempt (assuming it can work), but other values such as mailbox names could also be injected post authentication.
Can someone with working knowlegde of dovecot's internals confirm/deny whether this is a something that needs to be addressed?
Joseph Tam jtam.home@gmail.com