[Dovecot] Security hole #3: zlib plugin allows opening any gziped mboxes
tss at iki.fi
Fri Mar 30 17:46:29 EEST 2007
zlib plugin allows opening gzipped mboxes as read-only mailboxes.
However when using it, the mailbox name checks are bypassed so it's
possible to open for example "../otheruser/somefile.gz". Only valid
gzipped mbox files can be opened, and only if their name ends with
You can fix this by upgrading to v1.0.rc29 (available soon) or with this
I don't think this matters much though. zlib plugin is rarely used, and
those who do use it are probably using Dovecot with systems users
(per-user UIDs), so the imap process wouldn't have access to other
users' mbox files anyway.
I found this problem when I was cleaning up the code in CVS HEAD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070330/ed34f1a6/attachment.pgp
More information about the dovecot