Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 547872 (CVE-2015-3420)

Summary: <net-mail/dovecot-2.2.16-r1: remote DoS on TLS connections (CVE-2015-3420)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eras, hanno, net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/04/26/3
Whiteboard: B3 [noglsa/cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-04-27 07:06:33 UTC
From ${URL} :

The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

An example where this is triggered is if the server is configured to
not allow SSLv3 connections and a client tries to connect with SSLv3
only.

The reason is that the error handling routine will try to finish the
handshake and that will crash. Details here:
http://dovecot.org/pipermail/dovecot/2015-April/100618.html

I had created a patch, one of the dovecot devs created a more thorough
patch that will probably catch more error states properly:
http://dovecot.org/tmp/diff
(url likely not stable)
Nothing is applied yet I think.

I think this deserves a CVE.


There is a related issue in openssl: It will crash instead of throwing
an error if one tries to use a connection context that already failed.
One could argue that this is not an openssl issue, because apps need to
properly check errors. Matt Caswell has created a patch to let openssl
handle these situations more gracefully:
https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hanno Böck gentoo-dev 2015-04-28 09:41:21 UTC
Here's the commit:
http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
Comment 2 Eray Aslan gentoo-dev 2015-04-28 19:49:08 UTC
+*dovecot-2.2.16-r1 (28 Apr 2015)
+
+  28 Apr 2015; Eray Aslan <eras@gentoo.org> +dovecot-2.2.16-r1.ebuild,
+  +files/CVE-2015-3420.patch:
+  Security bump - bug #547872
+

Arches, please test and mark stable =net-mail/dovecot-2.2.16-r1.  Thank you.

Target keywords = alpha amd64 arm hppa ia64 ppc ppc64 x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-29 06:05:10 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-30 10:56:58 UTC
amd64 stable
Comment 5 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:19:09 UTC
ia64 stable
Comment 6 Pacho Ramos gentoo-dev 2015-05-15 10:59:57 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-05-19 07:26:06 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-05-27 13:01:51 UTC
arm stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 16:02:42 UTC
alpha stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 18:55:02 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

Security Please Vote.
GLSA Vote: No
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-07-06 12:54:58 UTC
CVE-2015-3420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3420):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  
  ** TEMPORARY **
  Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will
  lead to a crash of the login process.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-07-06 12:56:13 UTC
Please cleanup net-mail/dovecot-2.2.9
Comment 13 Eray Aslan gentoo-dev 2015-07-07 04:58:49 UTC
(In reply to Yury German from comment #12)
> Please cleanup net-mail/dovecot-2.2.9

will do once bug #501600 is resolved
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-16 14:45:25 UTC
GLSA Vote: Yes
Comment 15 Sergey Popov gentoo-dev 2015-07-16 14:55:59 UTC
GLSA vote: No
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 20:39:54 UTC
Maintainer(s), Thank you for you for cleanup.

Thank you all. Closing as noglsa.