dovecot - Sep 2014 - Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?

I'm right now handling this beach-ball sized grenade, and trying to
figure out which of our services need to be locked down right away.

Since dovecot passes values via environment variables based on
user input (e.g. username, password, mailbox?) to auxilliary
executables (including possibly bash shell scripts), is dovecot
vulnerable to this exploit?

(This is not a fault of dovecot, but rather bash's inadequate handling
of environment variables.)

For example, injection of this sort

 	1 LOGIN (){x;}exploit-code whatever

I guess auth_username_chars would mitigate this particular attempt (assuming
it can work), but other values such as mailbox names could also be injected
post authentication.

Can someone with working knowlegde of dovecot's internals confirm/deny
whether
this is a something that needs to be addressed?

Joseph Tam <jtam.home at gmail.com>

Am 26.09.2014 02:59 schrieb Joseph Tam:
> Since dovecot passes values via environment variables based on
> user input (e.g. username, password, mailbox?) to auxilliary
> executables (including possibly bash shell scripts), is dovecot
> vulnerable to this exploit?
Given this article about how e.g. PHP could be vulnerable via 
popen/system:
http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.html
I can only think about sieve now, when it constructs mail and pipes that 
to sendmail_path,
but I would be surprised if this is using user-input (e.g. script) in 
environment variables.

I was skimming through Roundcube and didnt find something 'fishy' so 
far, but that
doesnt mean there is nothing ;-).