Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155654 - net-mail/dovecot Exploitable crash with mmap_disable=yes
Summary: net-mail/dovecot Exploitable crash with mmap_disable=yes
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.dovecot.org/list/dovecot-n...
Whiteboard: C3? [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-19 03:36 UTC by Roy Marples (RETIRED)
Modified: 2006-11-27 01:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Roy Marples (RETIRED) gentoo-dev 2006-11-19 03:36:44 UTC
Version: 1.0test53 .. 1.0.rc14 (ie. all 1.0alpha, 1.0beta and 1.0rc
versions so far).

0.99.x versions are safe (they don't even have mmap_disable setting).

Problem: When mmap_disable=yes setting is used, dovecot.index.cache file
is read to memory using "file cache" code. It contains a "mapped pages"
bitmask buffer. In some conditions when updating the buffer it allocates
one byte too little.

Exploitability: I think it's going to be pretty difficult to cause
anything else than a crash, but I wouldn't say impossible. Only logged
in IMAP/POP3 users can exploit this.

In theory you might be able to exploit this for other users as well by
sending them a lot of specially crafted emails, but this requires
knowing what dovecot.index.cache file contains. Normally its contents
can't be predicted, although perhaps with POP3 users it gets empty often
enough that the exploit could be tried. Then again, the exploit requires
having at least 4MB cache file, which won't happen with POP3 users
before the mailbox has about 170k mails (if I counted right).

With IMAP the cache file is used more, so it's easier to fill the 4MB
with for example a lot of To-headers.

Workaround: Use INDEX=MEMORY so the cache files aren't used at all.

mmap_disable=no is the default setting.

dovecot-1.0_rc15 is now in the tree
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 00:14:04 UTC
Thx Uberlord.

Arches please test and mark stable. Target keywords are:

dovecot-1.0_rc15.ebuild:KEYWORDS=alpha@gentoo.org,amd64@gentoo.org,ppc@gentoo.org,sparc@gentoo.org,x86@gentoo.org
Comment 2 Michael Weyershäuser 2006-11-20 01:22:04 UTC
Looking good on amd64.

Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Mon, 20 Nov 2006 05:00:02 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -Os -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage_overlay"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-20 02:03:25 UTC
DESCRIPTION="An IMAP and POP3 server written with security primarily in mind"

Sounds logical. :) Done on x86
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-20 10:54:55 UTC
sparc stable.
Comment 5 Simon Stelling (RETIRED) gentoo-dev 2006-11-20 13:50:09 UTC
amd64 done
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-22 09:32:52 UTC
ppc stable
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-25 07:48:35 UTC
Stable on Alpha.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-25 08:47:40 UTC
Time for GLSA decision.

Given that we're not vulnerable in default configuration I tend to vote NO.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-26 12:25:34 UTC
also tend to vote no
Comment 10 Wolf Giesen (RETIRED) gentoo-dev 2006-11-27 01:35:14 UTC
One more NO.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-27 01:40:33 UTC
Two full NO votes -> Closing without GLSA.