[Dovecot] Solving CVE-2008-4870

Michal Hlavinka mhlavink at redhat.com
Thu Nov 13 13:03:48 EET 2008


Hi,

we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is 
world readable - possible password exposure.

This problem seems to be little more complicated than we thought.

dovecot.conf can contain passphrase for ssl key, which is available for 
everyone since dovecot.conf has world readable permissions.

(In CVE's description is note that it RHEL's/Fedora's problem, but it 
affects all systems imo)

We was thinking about few ways how to fix it:
1) 0640 permissions for dovecot.conf - but it can became not readable 
for dovecot

2) 0640 root:mail and set deliver to group mail with sgid - possible 
security problem

3) don't store passphrase in dovecot.conf, just ask for it when 
dovecot's started - can hang boot process, not good

As part of investigating, I've found dovecot is storing all variables in 
environment variables - it means even passphrase? I'm not completely 
sure, but all variables can be read via /proc/<pid>/environ (I don't 
know if it becomes readable in some circumstances.)

Is there any plan to solve this problem?

Cheers,

Michal




More information about the dovecot mailing list