[Dovecot-news] Security hole #3: zlib plugin allows opening any gziped mboxes

Timo Sirainen tss at iki.fi
Fri Mar 30 17:46:29 EEST 2007


zlib plugin allows opening gzipped mboxes as read-only mailboxes.
However when using it, the mailbox name checks are bypassed so it's
possible to open for example "../otheruser/somefile.gz". Only valid
gzipped mbox files can be opened, and only if their name ends with
".gz".

You can fix this by upgrading to v1.0.rc29 (available soon) or with this
patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html

I don't think this matters much though. zlib plugin is rarely used, and
those who do use it are probably using Dovecot with systems users
(per-user UIDs), so the imap process wouldn't have access to other
users' mbox files anyway.

I found this problem when I was cleaning up the code in CVS HEAD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot-news/attachments/20070330/ed34f1a6/attachment.pgp 


More information about the Dovecot-news mailing list