Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 937955 (CVE-2024-23184, CVE-2024-23185)

Summary: <net-mail/dovecot-2.3.21.1 vulnerabilities in header parsing
Product: Gentoo Security Reporter: Eray Aslan <eras>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: eras
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 937959    
Bug Blocks:    

Description Eray Aslan gentoo-dev 2024-08-15 07:23:28 UTC 
Hi all,

we are releasing a CVE patch release 2.3.21.1.

https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Kind regards,
Aki Tuomi
Open-Xchange oy

---

- CVE-2024-23184: A large number of address headers in email resulted
  in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
  discarded, with a limit of 10MB on a single header and 50MB for all
  the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
  to introspection server. These need to be optionally in Basic auth
  instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
  required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
  protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
  from token, but was configured on Dovecot.
Comment 1 Eray Aslan gentoo-dev 2024-08-15 07:26:04 UTC 
Affected product: Dovecot IMAP Server
Internal reference: DOV-6464
Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling)
Vulnerable version: 2.2, 2.3
Vulnerable component: lib-mail
Report confidence: Confirmed
Solution status: Fixed in 2.3.21.1
Researcher credits: Vendor internal discovery
Vendor notification: 2024-01-30
CVE reference: CVE-2024-23184
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)

Vulnerability Details:
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in
+a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this
+is a security issue.

The main problem is that each header line's address is added to the end of a linked list. This is done by walking the whole linked list, which becomes more
+inefficient the more addresses there are.

Workaround:
One can implement restrictions on address headers on MTA component preceding Dovecot.

Fix:
Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Comment 2 Larry the Git Cow gentoo-dev 2024-08-15 07:32:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6d4eda4ca6fc9911ab4928c138e85b526f803d1

commit a6d4eda4ca6fc9911ab4928c138e85b526f803d1
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-08-15 07:31:19 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-08-15 07:31:19 +0000

    net-mail/dovecot: add 2.3.21.1
    
    Bug: https://bugs.gentoo.org/937955
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                |   2 +
 net-mail/dovecot/dovecot-2.3.21.1.ebuild | 302 +++++++++++++++++++++++++++++++
 2 files changed, 304 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-08-17 04:51:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=435ad104b9a7e9cbf65b0cab5617336bb0e87244

commit 435ad104b9a7e9cbf65b0cab5617336bb0e87244
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-08-17 04:50:51 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-08-17 04:51:49 +0000

    net-mail/dovecot: drop versions
    
    Bug: https://bugs.gentoo.org/937955
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                 |   4 -
 net-mail/dovecot/dovecot-2.3.20-r1.ebuild | 302 ------------------------------
 net-mail/dovecot/dovecot-2.3.20-r2.ebuild | 302 ------------------------------
 net-mail/dovecot/dovecot-2.3.20-r3.ebuild | 302 ------------------------------
 net-mail/dovecot/dovecot-2.3.21-r1.ebuild | 302 ------------------------------
 net-mail/dovecot/dovecot-2.3.21.ebuild    | 302 ------------------------------
 6 files changed, 1514 deletions(-)