Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692572 (CVE-2019-11500)

Summary: <net-mail/dovecot-{2.2.36.4,2.3.7.2}: improper NUL byte handling in IMAP and ManageSieve protocol parsers (CVE-2019-11500)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eras, hanno, toto
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
Whiteboard: B2 [glsa cve]
Package list:
net-mail/dovecot-2.3.7.2
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev Security 2019-08-19 20:23:52 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-08-28 19:08:12 UTC
Open-Xchange Security Advisory 2019-08-14
 
Product: Dovecot
Vendor: OX Software GmbH
 
Internal reference: DOV-3278
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4
Vulnerable component: IMAP and ManageSieve protocol parsers (before and
after login)
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.7.2, 2.2.36.4
Researcher credits: Nick Roessler and Rafi Rubin, University of Pennsylvania
Vendor notification: 2019-04-13
Solution date: 2019-06-05
Public disclosure: 2019-08-28
CVE reference: CVE-2019-11500
CVSS: 8.1 (CVSS3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
 
Vulnerability Details:

IMAP and ManageSieve protocol parsers do not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes.

Risk:

This vulnerability allows for out-of-bounds writes to objects stored on
the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login
phase, allowing sufficiently skilled attacker to perform complicated
attacks that can lead to leaking private information or remote code
execution. Abuse of this bug is very difficult to observe, as it does
not necessarily cause a crash. Attempts to abuse this bug are not
directly evident from logs.

Steps to reproduce:

This bug is best observed using valgrind to see the out of bounds read
with following snippet:

perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143


Solution:

Operators should update to the latest Patch Release. There is no
workaround for the issue.
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-08-28 19:08:20 UTC
*** Bug 693020 has been marked as a duplicate of this bug. ***
Comment 3 Larry the Git Cow gentoo-dev 2019-08-28 20:12:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2be94433e1423e60edca085c9a5cb250106125f7

commit 2be94433e1423e60edca085c9a5cb250106125f7
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-08-28 20:09:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-08-28 20:12:09 +0000

    net-mail/dovecot: bump to v2.3.7.2
    
    Bug: https://bugs.gentoo.org/692572
    Package-Manager: Portage-2.3.72, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-mail/dovecot/Manifest               |   2 +
 net-mail/dovecot/dovecot-2.3.7.2.ebuild | 291 ++++++++++++++++++++++++++++++++
 2 files changed, 293 insertions(+)
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-08-28 20:13:33 UTC
@ maintainer(s): Can we already stabilize =net-mail/dovecot-2.3.7.2?
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-08-28 22:28:34 UTC
@ Arches,

please test and mark stable: =net-mail/dovecot-2.3.7.2
Comment 6 Stabilization helper bot gentoo-dev 2019-08-28 23:00:30 UTC
An automated check of this bug failed - repoman reported dependency errors (33 lines truncated): 

> dependency.bad net-mail/dovecot/dovecot-2.3.7.2.ebuild: DEPEND: arm64(default/linux/arm64/17.0) ['net-mail/vpopmail']
> dependency.bad net-mail/dovecot/dovecot-2.3.7.2.ebuild: RDEPEND: arm64(default/linux/arm64/17.0) ['net-mail/vpopmail']
> dependency.bad net-mail/dovecot/dovecot-2.3.7.2.ebuild: DEPEND: arm64(default/linux/arm64/17.0) ['net-mail/vpopmail']
Comment 7 Thomas Deutschmann gentoo-dev Security 2019-08-28 23:24:09 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-08-30 07:58:15 UTC
amd64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-08-31 14:38:34 UTC
New GLSA request filed.
Comment 10 Sergei Trofimovich gentoo-dev 2019-08-31 18:37:02 UTC
ppc/ppc64 stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2019-08-31 21:17:10 UTC
This issue was resolved and addressed in
 GLSA 201908-29 at https://security.gentoo.org/glsa/201908-29
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2019-08-31 21:17:56 UTC
Re-opening for remaining architectures.
Comment 13 Rolf Eike Beer 2019-09-01 09:57:35 UTC
hppa stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:22:12 UTC
arm stable
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:22:39 UTC
alpha stable
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:23:01 UTC
s390 stable
Comment 17 Agostino Sarubbo gentoo-dev 2019-09-13 12:04:48 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 18 Eray Aslan gentoo-dev 2019-09-16 05:24:47 UTC
cleanup done
Comment 19 Thomas Deutschmann gentoo-dev Security 2019-09-16 16:49:31 UTC
Repository is clean, all done.