Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?
Philipp
e1c1bac6253dc54a1e89ddc046585792 at posteo.net
Fri Sep 26 04:29:20 UTC 2014
Am 26.09.2014 02:59 schrieb Joseph Tam:
> Since dovecot passes values via environment variables based on
> user input (e.g. username, password, mailbox?) to auxilliary
> executables (including possibly bash shell scripts), is dovecot
> vulnerable to this exploit?
Given this article about how e.g. PHP could be vulnerable via
popen/system:
http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.html
I can only think about sieve now, when it constructs mail and pipes that
to sendmail_path,
but I would be surprised if this is using user-input (e.g. script) in
environment variables.
I was skimming through Roundcube and didnt find something 'fishy' so
far, but that
doesnt mean there is nothing ;-).
More information about the dovecot
mailing list