Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 723786 (CVE-2020-10957, CVE-2020-10958, CVE-2020-10967)

Summary: <net-mail/dovecot-2.3.10.1: Multiple vulnerabilities (CVE-2020-{10957,10958,10967})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: anders.gentoo, eras, hydrapolic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2020/05/18/1
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 727244, 736617    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2020-05-18 15:54:45 UTC
See
https://www.openwall.com/lists/oss-security/2020/05/18/1

Multiple issues allow crashing daemons or cause memory corruption.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 18:03:25 UTC
@maintainer(s), please bump to 2.3.10.1.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 18:03:43 UTC
- CVE-2020-10957: lmtp/submission: A client can crash the server by
 sending a NOOP command with an invalid string parameter. This occurs
 particularly for a parameter that doesn't start with a double quote.
 This applies to all SMTP services, including submission-login, which
 makes it possible to crash the submission service without
 authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
 commands can cause the server to access freed memory, which can lead
 to a server crash. This happens when the server closes the connection
 with a "421 Too many invalid commands" error. The bad command limit
 depends on the service (lmtp or submission) and varies between 10 to
 20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
 address that has the empty quoted string as local-part causes the
 lmtp service to crash.
Comment 3 Larry the Git Cow gentoo-dev 2020-05-20 08:07:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abe60da18906a3343a6f5cea4f653d129fbc7ff1

commit abe60da18906a3343a6f5cea4f653d129fbc7ff1
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-05-20 08:05:38 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-05-20 08:06:36 +0000

    net-mail/dovecot: security bump to 2.3.10.1
    
    and fix automagic dependency on libunwind
    Bug: https://bugs.gentoo.org/723786
    Closes: https://bugs.gentoo.org/715488
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                |   1 +
 net-mail/dovecot/dovecot-2.3.10.1.ebuild | 288 +++++++++++++++++++++++++++++++
 2 files changed, 289 insertions(+)
Comment 4 Eray Aslan gentoo-dev 2020-05-20 08:12:47 UTC
Arches, please test and mark stable
=net-mail/dovecot-2.3.10.1

Target Keywords = ~alpha amd64 arm hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-20 12:53:25 UTC
(In reply to Eray Aslan from comment #4)
> Arches, please test and mark stable

Thanks!
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-21 07:56:32 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-05-21 07:59:24 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-21 08:01:15 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-21 08:09:37 UTC
x86 stable
Comment 10 Rolf Eike Beer archtester 2020-05-26 17:42:34 UTC
~hppa is ok
Comment 11 NATTkA bot gentoo-dev 2020-08-31 23:09:06 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2020-09-01 06:30:58 UTC Comment hidden (obsolete)
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-06 00:57:34 UTC
GLSA Vote: No
Comment 14 NATTkA bot gentoo-dev 2020-12-13 03:43:32 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2020-12-13 03:45:12 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2020-12-14 01:25:15 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2020-12-21 14:25:09 UTC
Unable to check for sanity:

> no match for package: =net-mail/dovecot-2.3.10.1
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-21 18:01:24 UTC
Cleanup done so all done here, but still depending on an open test failure..