Bug 643715

Summary: VUL-0: dovecot 1.2.15 fixes ACL issues
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: mrueckert, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.2:36776 maint:released:11.3:36776
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2010-10-05 06:13:07 UTC 
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Mon, 4 Oct 2010 15:30:08 -0400 (EDT)
From: Josh Bressers <bressers@redhat.com>
Subject: Re: [oss-security] CVE Request: more dovecot ACL issues

----- "Ludwig Nussel" <ludwig.nussel@suse.de> wrote:
> dovecot 1.2.15 fixes issues with ACLs:
> http://www.dovecot.org/list/dovecot/2010-October/053450.html
> http://www.dovecot.org/list/dovecot/2010-October/053452.html
> 

If I'm understanding this correctly based off
http://www.dovecot.org/list/dovecot/2010-October/053452.html

There are two issues here:

a) If admin wanted to remove some rights from mailboxes in user's
private namespace (e.g. symlinked shared mailboxes), they may not have
gotten removed.

Use CVE-2010-3706 for this one.


b) When mixing up multiple ACL entries, such as groups/users the more
specific entry may not have replaced the previous entry (e.g.
group-override may not have worked as expected).

Use CVE-2010-3707.

Thanks.

-- 
    JB
Comment 1 Swamp Workflow Management 2010-10-05 14:00:30 UTC 
The SWAMPID for this issue is 36233.
This issue was rated as low.
Please submit fixed packages until 2010-11-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Marcus Rückert 2010-10-25 14:57:30 UTC 
Requests created:  51359 51360
Comment 3 Swamp Workflow Management 2010-10-29 08:25:59 UTC 
Update released for: dovecot12, dovecot12-backend-mysql, dovecot12-backend-mysql-debuginfo, dovecot12-backend-pgsql, dovecot12-backend-pgsql-debuginfo, dovecot12-backend-sqlite, dovecot12-backend-sqlite-debuginfo, dovecot12-debuginfo, dovecot12-debugsource, dovecot12-devel, dovecot12-fts-lucene, dovecot12-fts-lucene-debuginfo, dovecot12-fts-solr, dovecot12-fts-solr-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 4 Ludwig Nussel 2010-10-29 08:32:19 UTC 
released