Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 314533 (CVE-2010-0745)

Summary: <net-mail/dovecot-1.2.11: CPU exhaustion DoS through large header (CVE-2010-0745)
Product: Gentoo Security Reporter: Tomás Touceda (RETIRED) <chiiph>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bugs+gentoo, eras, net-mail+disabled, patrick
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.dovecot.org/list/dovecot-news/2010-March/000152.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 313787    
Bug Blocks: 286844, 293954    

Description Tomás Touceda (RETIRED) gentoo-dev 2010-04-10 15:31:05 UTC 
This problem is only present with versions 1.2.x and it's fixed in 1.2.11:

- mbox: Message header reading was unnecessarily slow. Fetching a
  huge header could have resulted in Dovecot eating a lot of CPU.
  Also searching messages was much slower than necessary.
- mbox, dbox, cydir: Mail root directory was created with 0770
  permissions, instead of 0700.
- maildir: Reading uidlist could have ended up in an infinite loop.
- IMAP IDLE: v1.2.7+ caused extra load by checking changes every
  0.5 seconds after a change had occurred in mailbox

Is it ok for version 1.2.11 to go stable?
Comment 1 Eray Aslan gentoo-dev 2010-04-10 17:16:20 UTC 
dovecot-1.2.11-r1 is ready for stable.

Only concern is it was committed to the tree on April 7th and this is a minor issue.

Advice is welcome on gentoo policy whether this warrents foregoing "30 days before stabilization".  Patrick?
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-04-14 04:50:14 UTC 
(In reply to comment #1)

> Advice is welcome on gentoo policy whether this warrents foregoing "30 days
> before stabilization".  Patrick?

Eray, security issues should not wait. I see there is also bug 314103.
Comment 3 Eray Aslan gentoo-dev 2010-04-14 14:31:18 UTC 
Fair enough.

Arches, please test and mark stable:
=net-mail/dovecot-1.2.11-r1
Target keywords : "alpha amd64 sparc x86"
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-04-14 14:41:34 UTC 
*** Bug 314103 has been marked as a duplicate of this bug. ***
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-04-14 15:00:15 UTC 
x86 team: Stable host, upgraded to 1.2.11-r1 with no issues in my mail setup.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2010-04-14 17:03:31 UTC 
stable x86, thanks Jeremy, interested in a position as x86 AT? :)
Comment 7 Benjamin Börngen-Schmidt 2010-04-16 12:00:07 UTC 
No problems so far on an amd64 platform
Comment 8 Markus Meier gentoo-dev 2010-04-18 11:57:39 UTC 
amd64 stable
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-03 09:45:03 UTC 
*ping* sparc
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-05-07 18:21:41 UTC 
alpha/sparc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-22 11:05:37 UTC 
All arches done. Vote required, I vote NO.
Comment 12 Dustin Polke 2010-06-06 08:56:01 UTC 
arm has keyworded dovecot-1.2.11-r1 as well. Please stabilize too. Thanks.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-06 09:04:39 UTC 
(In reply to comment #12)
> arm has keyworded dovecot-1.2.11-r1 as well. Please stabilize too. Thanks.
> 

The package was never stable, NACK.
Comment 14 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-07-14 16:03:37 UTC 
What is happening with ppc? They are still stuck at 1.1.19
Comment 15 Joe Jezak (RETIRED) gentoo-dev 2010-07-18 20:46:32 UTC 
I've marked the ppc builds ~ppc. In a few days, I'll mark the requested ebuild ppc stable, quickly due to the security issue. Sorry for the delay.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:44:42 UTC 
*ping*
Comment 17 Joe Jezak (RETIRED) gentoo-dev 2010-08-11 21:33:22 UTC 
Sorry, I forgot about this. Marked ppc stable.
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:56:51 UTC 
I vote YES though.
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2010-11-18 20:38:14 UTC 
GLSA Vote: Yes, with 286844.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:25:15 UTC 
This issue was resolved and addressed in
 GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml
by GLSA coordinator Stefan Behte (craig).