Debian: DSA-1892-1: New dovecot packages fix arbitrary code execution

    Date23 Sep 2009
    CategoryDebian
    36
    Posted ByLinuxSecurity Advisories
    It was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1892-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Giuseppe Iuculano
    September 23, 2009                    http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Packages       : dovecot
    Vulnerability  : buffer overflow
    Problem type   : local (remote)
    Debian-specific: no
    CVE IDs        : CVE-2009-2632 CVE-2009-3235
    Debian Bug     : 546656
    
    It was discovered that the SIEVE component of dovecot, a mail server
    that supports mbox and maildir mailboxes, is vulnerable to a buffer
    overflow when processing SIEVE scripts. This can be used to elevate
    privileges to the dovecot system user.  An attacker who is able to
    install SIEVE scripts executed by the server is therefore able to read
    and modify arbitrary email messages on the system.
    
    
    For the oldstable distribution (etch), this problem has been fixed in version
    1.0.rc15-2etch5.
    
    For the stable distribution (lenny), this problem has been fixed in version
    1:1.0.15-2.3+lenny1.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem has been fixed in version 1:1.2.1-1.
    
    
    We recommend that you upgrade your dovecot packages.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
        Size/MD5 checksum:   105496 25968ea91265d9c79869fd13e1cf18a7
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
        Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc
        Size/MD5 checksum:     1017 69660b4d8bd4c443a9e6a445cee73ae4
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb
        Size/MD5 checksum:   583336 05cdd40c7eca4f076ebe18629d497b3b
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb
        Size/MD5 checksum:   621512 58f8c92c7567a9c1ed6eee44979e7abf
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb
        Size/MD5 checksum:  1378160 512ca0853d71066040c22daae6ff0e3a
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb
        Size/MD5 checksum:  1224200 c43f474ed1a38e2b717463faf4a603a9
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb
        Size/MD5 checksum:   536502 9bc2da44bcb81f7c1d5a3381bc02c950
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb
        Size/MD5 checksum:   570646 7a5e8aa209ecee48bbc9daa5c5364788
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb
        Size/MD5 checksum:   506574 6a4be002eaaf4932161c03ef9a170e72
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb
        Size/MD5 checksum:   537184 d5d095c9771afaacfbd863f2f37700f6
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb
        Size/MD5 checksum:  1118568 c884c1632c4e20d9b6636806d2039b29
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb
        Size/MD5 checksum:   561854 1911ecd7f8336deb46986f3f37fae039
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb
        Size/MD5 checksum:  1297502 a965f31d08deb751b26ca9a7b467aa9c
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb
        Size/MD5 checksum:   600138 867931a360b0bfeea1f3e28dfb073bf7
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
        Size/MD5 checksum:   514726 e2fe7ef8a944f84d59c4d13c2583f37f
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
        Size/MD5 checksum:   547040 41d4f84120825e06e41ff079dabd0429
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
        Size/MD5 checksum:  1135076 3e11a2b0f46ce7452760264a478a07a2
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_ia64.deb
        Size/MD5 checksum:  1702256 e292ef2a99bb7868fd131574b0dcb876
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_ia64.deb
        Size/MD5 checksum:   737696 b3ee10e9ca9b771fb7f15ed508173628
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_ia64.deb
        Size/MD5 checksum:   793994 888618682b965c75167249e9177aea29
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_mipsel.deb
        Size/MD5 checksum:   558948 c42d2f897b76a5635d45bc196dbb1fdf
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_mipsel.deb
        Size/MD5 checksum:  1268494 800381d4b15c5857dabe79e37fd1003a
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_mipsel.deb
        Size/MD5 checksum:   595020 33ff0bc5c3755320bd209d4837742a1a
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_powerpc.deb
        Size/MD5 checksum:  1212206 dcef8ac28680d74ed0e3e2586cd3d056
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_powerpc.deb
        Size/MD5 checksum:   569890 b549032c41f1a1f2de3a96a99a92b2e8
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_powerpc.deb
        Size/MD5 checksum:   536100 1e073cad6b24f04f1d10e43c3c2b5c7f
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_s390.deb
        Size/MD5 checksum:  1290172 fc78f024c57fd97448a1cab449d97c26
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_s390.deb
        Size/MD5 checksum:   595622 4f35eef9b7f47a5689f1a3bffb0b1496
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_s390.deb
        Size/MD5 checksum:   559910 472231dbce114cf79838f7c34d0850b9
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15.orig.tar.gz
        Size/MD5 checksum:  1783347 aa39c11c18df6b95b64d4f04d793d77a
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc
        Size/MD5 checksum:     1614 d0b83408d8c8324fdfa03b80cdbed4f6
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
        Size/MD5 checksum:   216038 45614e66070551b80bcbd803113f22d6
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_alpha.deb
        Size/MD5 checksum:   389244 a5b09618e986ca9e9181ce1ae3ec693e
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_alpha.deb
        Size/MD5 checksum:   669230 3e0622750be09c51dae2b0ffee7d015c
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_alpha.deb
        Size/MD5 checksum:  2309838 6f608b22a263d8f5ef8768bbe7a728a6
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_alpha.deb
        Size/MD5 checksum:   709292 6c68631fa3541bc48ca897d98e498274
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_amd64.deb
        Size/MD5 checksum:   390826 7386cae0c224a81a3a69a4c59dc53b1b
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_amd64.deb
        Size/MD5 checksum:   632604 4f8004c08a2d8c56907571b015f279d8
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_amd64.deb
        Size/MD5 checksum:   669682 3ffaccbe054991901b258c204a59bd07
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_amd64.deb
        Size/MD5 checksum:  2106030 bde9f3caac387c20b423d71c3213aaac
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_arm.deb
        Size/MD5 checksum:   620406 34980793a3cf093446b18614880d7c4d
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_arm.deb
        Size/MD5 checksum:   390376 60ee2b17f10334253ea32654e741b006
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_arm.deb
        Size/MD5 checksum:   588296 12f73940ba5583e6c81a38a9d6663cdf
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_arm.deb
        Size/MD5 checksum:  1901028 3c23a98d1f07817db4a314865243ae13
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_armel.deb
        Size/MD5 checksum:   391168 8049082b57c86d865d51679db193d5fa
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_armel.deb
        Size/MD5 checksum:   626970 2bcd781a52cac6cf397b5df9e1e144b1
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_armel.deb
        Size/MD5 checksum:   594616 1515c12da34869de4f5616fe6143aee0
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_armel.deb
        Size/MD5 checksum:  1932436 63c7c48a798aeb72d11b622057eb6ad5
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_hppa.deb
        Size/MD5 checksum:   390606 ab3bd158a5930daad61b9dffb3bb130e
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_hppa.deb
        Size/MD5 checksum:   638882 e3ec95e636c33c400266c5419e18e864
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_hppa.deb
        Size/MD5 checksum:   677942 808cfe06b6b4325b9ea13008d35918b2
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_hppa.deb
        Size/MD5 checksum:  2162538 3f41711076b008bc16ee08e7e822f703
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
        Size/MD5 checksum:  1938596 0113ec4318618383c6945ad66ac457ab
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
        Size/MD5 checksum:   602896 93b9ffb25946df4200203a236839d967
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
        Size/MD5 checksum:   636970 40f7a7785597f69f39991c35865c1df8
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
        Size/MD5 checksum:   390674 615f9e862c4c2b14db2fbed7f3a0089f
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_ia64.deb
        Size/MD5 checksum:   878572 21ea3f8af009b4c0668310a1d42ff6e8
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_ia64.deb
        Size/MD5 checksum:  2857622 5710f0fe4c677388e61268c1b6d28a9a
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_ia64.deb
        Size/MD5 checksum:   389246 afaa27855049264e8d1bc6272c619c68
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_ia64.deb
        Size/MD5 checksum:   818126 94b7b844dfb2d352901a0570dcc9446a
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mips.deb
        Size/MD5 checksum:   389274 39038f291d9e447928d0ce4cc69547f8
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mips.deb
        Size/MD5 checksum:   631574 6c011d890fb624ab2fb42f9d531c56c6
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mips.deb
        Size/MD5 checksum:  2104730 a5c2b94943df80bb457afdb7ebdd1047
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mips.deb
        Size/MD5 checksum:   668110 027bdd8d539ad64838e70d01b817ab9a
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mipsel.deb
        Size/MD5 checksum:   389284 7393c2e406358c4ff44f1936e77289bc
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mipsel.deb
        Size/MD5 checksum:   666878 952824b8ef88116eecd9b6d8dc2eb7ab
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mipsel.deb
        Size/MD5 checksum:  2107826 868569a1a13d5150d052f3f85a0c5b4b
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mipsel.deb
        Size/MD5 checksum:   630902 26f8d04ed6cebb1cee2cdee0466e3828
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_powerpc.deb
        Size/MD5 checksum:  2116926 83a20a035135c86165e90512e1616e17
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_powerpc.deb
        Size/MD5 checksum:   633850 378165eda8f93d5db9a9750eb388a3d7
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_powerpc.deb
        Size/MD5 checksum:   389308 5706cb949dce54ed6bde511050c808db
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_powerpc.deb
        Size/MD5 checksum:   670056 5935a4928c82551b592a4ab7103d0305
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_sparc.deb
        Size/MD5 checksum:   389286 d67b24f2a1ca1ae2dfa7aeed269ba1c5
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_sparc.deb
        Size/MD5 checksum:   595054 0ce7c504c0a218e95713084b6fbdd9d4
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_sparc.deb
        Size/MD5 checksum:   628466 5509951b4426e12912531c3f56e309ae
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_sparc.deb
        Size/MD5 checksum:  1906138 8eda92ca5dfb4239544a288ebd8e8230
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.