From ${URL} : we're sharing our latest advisory with you and would like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Please find patches for v2.2.36 and v2.3.5 attached, or download new version. Yours sincerely, Aki Tuomi Open-Xchange Oy Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-2964 (Bug ID) Vulnerability type: CWE-120 Vulnerable version: 2.0.14 - 2.3.5 Vulnerable component: fts, pop3-uidl-plugin Report confidence: Confirmed Researcher credits: Found in internal testing Solution status: Fixed by Vendor Fixed version: 2.3.5.1, 2.2.36.3 Vendor notification: 2019-02-05 Solution date: 2019-03-21 Public disclosure: 2019-03-28 CVE reference: CVE-2019-7524 CVSS: 3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.8) Vulnerability Details: When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. Risk: This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes. Steps to reproduce: Produce dovecot.index.log entry that creates an FTS header which has more than 12 bytes of data. Trigger dovecot indexer-worker or run doveadm index. Dovecot will crash. Mitigations: Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR, read-only GOT tables and other techniques that make exploiting this bug much harder. Solution: Operators should update to the latest Patch Release. The only workaround is to disable FTS and pop3-uidl plugin. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aebf54df234b6fe8e8879adae952f7603471caae commit aebf54df234b6fe8e8879adae952f7603471caae Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2019-03-29 14:01:58 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2019-03-29 14:01:58 +0000 net-mail/dovecot: security bump to 2.3.5.1 Bug: https://bugs.gentoo.org/681922 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.5.1.ebuild | 294 ++++++++++++++++++++++++++++++++ 2 files changed, 295 insertions(+)
Arches, please test and mark stable =net-mail/dovecot-2.3.5.1 TARGET KEYWORDS=alpha amd64 arm ~hppa ia64 ~mips ppc ppc64 s390 ~sparc x86 Thank you
missed hppa TARGET KEYWORDS=alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sparc x86
amd64 stable
x86 stable
New GLSA Request filed.
arm stable
ia64 stable
ppc64 stable
ppc stable
hppa stable
alpha stable
s390 stable
@maintainer, please drop vulnerable.
This issue was resolved and addressed in GLSA 201904-19 at https://security.gentoo.org/glsa/201904-19 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
cleanup done