Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 684822 (CVE-2019-11494, CVE-2019-11499)

Summary: <net-mail/dovecot-2.3.6 - Submission-login crashes (with signal 11 due to null pointer access when authentication is aborted by disconnecting|when authentication is started over TLS secured channel and invalid authentication message is sent)
Product: Gentoo Security Reporter: Jeroen Roovers <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eras, hydrapolic
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
net-mail/dovecot-2.3.6
Runtime testing required: ---

Description Jeroen Roovers gentoo-dev 2019-04-30 16:54:01 UTC
https://dovecot.org/list/dovecot-news/2019-April/000409.html
CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting

https://dovecot.org/list/dovecot-news/2019-April/000410.html
CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent
Comment 1 Hank Leininger 2019-05-01 05:11:06 UTC
FWIW, bumping the current ebuild to 2.3.6 worked here (amd64) with no modifications.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-05-01 07:57:40 UTC
(In reply to Jeroen Roovers from comment #0)
> https://dovecot.org/list/dovecot-news/2019-April/000409.html
> CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer
> access when authentication is aborted by disconnecting
> 
> https://dovecot.org/list/dovecot-news/2019-April/000410.html
> CVE-2019-11499: Submission-login crashes when authentication is started over
> TLS secured channel and invalid authentication message is sent

2.3.6 is not in tree yet. Please do not add the version information to the summary until it is.
Comment 3 Larry the Git Cow gentoo-dev 2019-05-04 05:45:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7323d59995cb41a4bf537beb3d80671048752330

commit 7323d59995cb41a4bf537beb3d80671048752330
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-05-04 05:45:20 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-05-04 05:45:20 +0000

    net-mail/dovecot: security bump to 2.3.6
    
    Bug: https://bugs.gentoo.org/684822
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest             |   2 +
 net-mail/dovecot/dovecot-2.3.6.ebuild | 294 ++++++++++++++++++++++++++++++++++
 2 files changed, 296 insertions(+)
Comment 4 Eray Aslan gentoo-dev 2019-05-04 05:49:09 UTC
Arches, please test and mark stable
=net-mail/dovecot-2.3.5.2

TARGET KEYWORDS=alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sparc x86

Thank you
Comment 5 Agostino Sarubbo gentoo-dev 2019-05-04 12:57:25 UTC
amd64 stable
Comment 6 Rolf Eike Beer 2019-05-07 16:04:17 UTC
hppa stable
Comment 7 Larry the Git Cow gentoo-dev 2019-05-07 20:14:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3414d51126bd2e28f385d8cdd2e801b40f0a551e

commit 3414d51126bd2e28f385d8cdd2e801b40f0a551e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-07 20:13:21 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-07 20:13:32 +0000

    net-mail/dovecot-2.3.6-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/684822
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-mail/dovecot/dovecot-2.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Markus Meier gentoo-dev 2019-05-09 04:45:26 UTC
arm stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-05-10 13:03:26 UTC
x86 stable
Comment 10 Sergei Trofimovich gentoo-dev 2019-05-12 22:07:58 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-04 14:37:07 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-06-04 18:54:31 UTC
s390 stable.

Maintainer(s), please cleanup.
Comment 13 Agostino Sarubbo gentoo-dev 2019-06-05 07:13:16 UTC
ppc stable.

Maintainer(s), please cleanup.
Comment 14 Eray Aslan gentoo-dev 2019-08-08 05:53:56 UTC
cleanup done.  dovecot-2.2.36.3 is not vulnerable btw.  thank you