123024 – net-mail/dovecot: denial of service in imap/pop3-login

Bug 123024 - net-mail/dovecot: denial of service in imap/pop3-login

Summary: net-mail/dovecot: denial of service in imap/pop3-login

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.dovecot.org/list/dovecot/2...
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-02-16 05:08 UTC by Tavis Ormandy (RETIRED)
Modified:	2006-03-05 13:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy (RETIRED) gentoo-dev

2006-02-16 05:08:09 UTC

Description:
A vulnerability have been reported in Dovecot, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a double free error in pop3-login and imap-login when processing certain requests and can be exploited to crash the service.

Successful exploitation requires that "login_process_per_connection = no" has been set in the configuration file.

The vulnerability has been reported in versions prior to 1.0 beta3.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2006-02-16 05:09:41 UTC

g2boojum: is beta3 suitable for arch stabilisation? or should the fixes be backported?

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-02-16 12:43:34 UTC

Stoopid Bugzie forces a comment here.

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2006-02-16 15:30:40 UTC

http://dovecot.org/patches/1.0-auth-crashfix.diff
http://dovecot.org/patches/1.0-login-crashfixes.diff

Comment 4 Grant Goodyear (RETIRED) gentoo-dev

2006-02-17 14:21:01 UTC

(In reply to comment #1)
> g2boojum: is beta3 suitable for arch stabilisation? or should the fixes be
> backported?

I think beta3 can be stabled.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-18 00:34:21 UTC

arches please test and mark stable, thx

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2006-02-21 10:42:22 UTC

DerCorny: Arches should be Cced in order to mark stable :P
1.0_beta3 is the stable target, please test and mark stable if not worse than the previous stable.

Comment 7 Joshua Jackson (RETIRED) gentoo-dev

2006-02-22 00:36:50 UTC

Stable on x86; marked stable for Ticho who's at work \(^.^)/

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2006-02-22 11:56:05 UTC

ppc stable

Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev

2006-02-23 09:42:34 UTC

sparc stable.

Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev

2006-02-26 02:11:27 UTC

Alpha done by Stefaan. Thanks mate.

Cheers,
Ferdy

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2006-02-26 03:58:12 UTC

Ready for GLSA vote

The doc is quite explicit that setting login_process_per_connection=no is less secure, so I tend to vote no.

Comment 12 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-04 08:48:56 UTC

voting no, too

Comment 13 Tavis Ormandy (RETIRED) gentoo-dev

2006-03-05 11:33:41 UTC

agree with Koon, NO.

Comment 14 Thierry Carrez (RETIRED) gentoo-dev

2006-03-05 13:12:25 UTC

Closing without GLSA