Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 644214 (CVE-2017-15132) - <net-mail/dovecot-{2.2.33.2-r1,2.3.0-r2}: auth client leaks memory if SASL authentication is aborted (CVE-2017-15132)
Summary: <net-mail/dovecot-{2.2.33.2-r1,2.3.0-r2}: auth client leaks memory if SASL au...
Status: RESOLVED FIXED
Alias: CVE-2017-15132
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2018/q1/100
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-11 17:12 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-12-01 00:34 UTC (History)
4 users (show)

See Also:
Package list:
=net-mail/dovecot-2.2.33.2-r2 =app-text/libexttextcat-3.4.5 ia64
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-11 17:12:28 UTC 
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-25 15:07:36 UTC 
Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected versions: 2.0 up to 2.2.33 and 2.3.0
Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)

We have identified a memory leak in Dovecot auth client used by login
processes. The leak has impact in high performance configuration where
same login processes are reused and can cause the process to crash due to memory exhaustion.

Patch to apply this issue can be found from https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch

To our best knowledge, this patch should apply to all versions.

This issue can be mitigated on vulnerably systems by limiting login process to single request per process, which is also the default value.
Comment 2 Larry the Git Cow gentoo-dev 2018-01-25 15:20:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77ef1e767f97fa8377c4e2467082bacbb303d333

commit 77ef1e767f97fa8377c4e2467082bacbb303d333
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-25 15:19:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-25 15:19:40 +0000

    net-mail/dovecot: bump, fixes CVE-2017-15132
    
    Bug: https://bugs.gentoo.org/644214
    Package-Manager: Portage-2.3.20, Repoman-2.3.6
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild        | 291 +++++++++++++++++++++
 net-mail/dovecot/dovecot-2.3.0-r2.ebuild           | 286 ++++++++++++++++++++
 .../files/dovecot-2.2.33.2-CVE-2017-15132.patch    |  14 +
 3 files changed, 591 insertions(+)}
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-25 15:22:32 UTC 
@ Arches,

please test and mark stable: =net-mail/dovecot-2.2.33.2-r1
Comment 4 Stabilization helper bot gentoo-dev 2018-01-25 16:01:11 UTC 
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['app-text/libexttextcat']
> dependency.bad net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['app-text/libexttextcat']
> dependency.bad net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild: DEPEND: ia64(default/linux/ia64/17.0/desktop) ['app-text/libexttextcat']
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-25 16:22:09 UTC 
@ IA64 AT:

Either stabilize =app-text/libexttextcat-3.4.5 or set package.use.mask for "textcat" USE flag.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 18:21:48 UTC 
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-28 12:48:34 UTC 
ia64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-28 13:38:49 UTC 
amd64 stable
Comment 9 Larry the Git Cow gentoo-dev 2018-02-01 01:18:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3acd4d22b48eca30b27ce4694e4ae1de51fba40

commit e3acd4d22b48eca30b27ce4694e4ae1de51fba40
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-02-01 01:18:17 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-02-01 01:18:17 +0000

    net-mail/dovecot: bump, fixup for problem caused by patch for CVE-2017-15132
    
    Dovecot login process would crash after few minutes of idle after
    consecutive aborted logins when patch for CVE-2017-15132 was applied.
    
    Bug: https://bugs.gentoo.org/644214
    Package-Manager: Portage-2.3.21, Repoman-2.3.6

 net-mail/dovecot/dovecot-2.2.33.2-r2.ebuild        | 292 +++++++++++++++++++++
 net-mail/dovecot/dovecot-2.3.0-r3.ebuild           | 289 ++++++++++++++++++++
 .../dovecot-2.2.33.2-CVE-2017-15132-fixup.patch    |  37 +++
 3 files changed, 618 insertions(+)}
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-01 01:20:26 UTC 
Restarting stabilization with =net-mail/dovecot-2.2.33.2-r2.

See http://seclists.org/oss-sec/2018/q1/119.
Comment 11 Agostino Sarubbo gentoo-dev 2018-02-01 14:20:21 UTC 
amd64 stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-01 20:38:03 UTC 
x86 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-04 22:03:06 UTC 
ia64 stable
Comment 14 Markus Meier gentoo-dev 2018-02-05 21:23:46 UTC 
arm stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-01 19:15:30 UTC 
Superseded by bug 648894.
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2018-12-01 00:34:23 UTC 
cleanup will happen in bug #648894