Всем привет! В dovecot-1.2-v1.2-alt1_alpha3 в managesieve - проблема с безопасностью для виртуальных пользователей. Хитрый виртуальный пользователь используя последовательность '../' в имени sieve фильтра может читать и модифицировать фильтры других виртуальных пользователей. Например, незаметно для них пересылая их почту недоброжелателям.
Отправленный мною вчера в incoming пакет dovecot1.2-v1.2-alt2_alpha3 содержал ошибку, в результате которой managesive в нём неработоспособен. Сегодня эта ошибка исправлена и в incoming направлен пакет dovecot1.2-v1.2-alt3_alpha3, до которого всем и предлагается обновиться. -- Сергей Fwd: [Dovecot] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions) ----- "Stephan Bosch" <[EMAIL PROTECTED]> wrote: > Hello, > > While updating the ManageSieve implementation to the latest draft > specification I noticed a major omission in the way script names are > handled. Essentially, script names are directly appended to the sieve > > storage directory path and suffixed with '.sieve'. This does not take > > the use of '../' in script names into account. Therefore, clever > virtual > users that know the directory structure of the server can read and > edit > script files of other virtual users with the same system uid. The > added > '.sieve' suffix prevents further security breach, because only sieve > scripts are accessible this way. Note that of course any publicly > accessible sieve script is also affected. > > I am sorry to report that this bug was introduced pretty much from the > > start, meaning that all versions of the ManageSieve patch/package are > > affected. > > To quickly resolve this issue, I provide patches against the existing > > releases and I release new versions for Dovecot v1.1 through v1.2. The > > security patches against the existing releases are very small and > should > therefore also apply to older versions or can be adjusted to apply > cleanly with relative ease. > > The security patches are available as follows: > > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch.sig > > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.3-security.patch.sig > > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.0-security.patch.sig > > The security patch for v1.0 is applied against the patched Dovecot > tree, > while patches for v1.1 and v1.2 are applied against the ManageSieve > package. > > The new releases are available as follows (v1.1 and v1.2 versions have > > additional changes, read the NEWS files for more info): > > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz > http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-MANAGESIEVE-v9.4.diff.gz.sig > > > > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz > http://www.rename-it.nl/dovecot/1.1/dovecot-1.1-managesieve-0.10.4.tar.gz.sig > > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz > http://www.rename-it.nl/dovecot/1.2/dovecot-1.2-managesieve-0.11.1.tar.gz.sig > > Refreshed ManageSieve patches for v1.1 and v1.2 are available to avoid > > confusion, but an existing patched Dovecot should work fine. > > I hope package maintainers will quickly incorporate the security > patches > to get rid of this stupidity as soon as possible. > > Don't hesitate to notify me when there are problems! > > Regards, > > -- > Stephan Bosch > [EMAIL PROTECTED] _______________________________________________ Sysadmins mailing list [email protected] https://lists.altlinux.org/mailman/listinfo/sysadmins
