Hi Timo, hi Jaldhar, hi security team, thanks for the upstream fixes. I ported them to 1.0beta3 (what we have in Ubuntu 6.06) and verified that they work fine with PostgreSQL. Indeed using the db client library functions for string escaping is the only real sane and safe thing to do.
However, they totally don't apply to 0.99.14 (Sarge). It appears that the whole authentication code saw a total rework betweek 0.99 and 1.0. Luckily, though, 0.99.14 uses str_escape() *only* for escaping SQL queries, so my 0.99.14 patch just fixes this function to use '' instead, which will plug the hole, too (much less elegantly, but only minimally intrusive). Also, the user name is the only string input ever passed to the database, and by default, insecure characters like ' aren't allowed anyway (the admin explicitly has to change auth_username_chars -- THANK YOU, dovecot author, for having security in mind!!!!). So after all, this is only a very minor issue in dovecot. 1.0beta3 patch (just FYI, not needed in Debian): http://patches.ubuntu.com/patches/dovecot-1.0beta3.CVE-2006-2314.diff 0.99.14 patch for sarge-security: http://patches.ubuntu.com/patches/dovecot-0.99.14.CVE-2006-2314.diff Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
