Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615264 (CVE-2017-2669) - <net-mail/dovecot-2.2.29.1: DoS when passdb dict was used for authentication
Summary: <net-mail/dovecot-2.2.29.1: DoS when passdb dict was used for authentication
Status: RESOLVED FIXED
Alias: CVE-2017-2669
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2016-8652
Blocks:
  Show dependency tree
 
Reported: 2017-04-11 14:04 UTC by Agostino Sarubbo
Modified: 2017-07-16 01:32 UTC (History)
2 users (show)

See Also:
Package list:
=net-mail/dovecot-2.2.29.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-11 14:04:48 UTC
From ${URL} :

CVSS: 6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)
Vulnerable versions: 2.2.26 - 2.2.28
Fixed version(s): 2.2.29

Broken by a3783f8a3c9cd816b51e77a922f82301512fcf22
Fixed by 000030feb7a30f193197f1aab8a7b04a26b42735

Dovecot supports "dict" passdb and
userdb: https://wiki2.dovecot.org/AuthDatabase/Dict
When these were used for user authentication, the username sent by the
IMAP/POP3 client was sent through var_expand() to perform %variable
expansion. Sending specially crafted %variable fields could result in
excessive memory usage causing the process to crash (and restart), or
excessive CPU usage causing all authentications to hang.

Excessive memory usage could be done with e.g. %09999999999u as the
username. Because by default Dovecot limits the auth process's VSZ and
exits on any memory allocation failure, the auth process typically dies
afterwards and is immediately restarted. This may result in some user
authentications getting temporary internal failures.

Excessive CPU usage could be done with %{pkcs5;rounds=100000000:user}
variable introduced in v2.2.27.

Please use this
https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch
to fix this issue, it should be applicable to older versions too.
Please let us know if you need assistance in patching.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Eray Aslan gentoo-dev 2017-04-13 06:01:07 UTC
net-mail/dovecot-2.2.29.1 in the tree and good for stabilization.
Comment 2 Jeroen Roovers gentoo-dev 2017-04-15 08:54:43 UTC
Stable for HPPA.
Comment 3 Michael Weber (RETIRED) gentoo-dev 2017-04-17 23:57:07 UTC
arm stable.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-04-18 06:40:45 UTC
ppc ppc64 stable
Comment 5 Tobias Klausmann gentoo-dev 2017-04-22 07:36:12 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2017-04-23 10:29:23 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-04-27 10:38:42 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-28 05:37:37 UTC
Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 9 Eray Aslan gentoo-dev 2017-05-04 07:34:34 UTC
Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64 mips sh and sparc (see bugs #564484 #601452 )

Rest punted from the tree.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-16 01:32:29 UTC
=net-mail/dovecot-2.2.19 is only for ia64/sparc which are not security supported.  No other arches will be impacted with the ebuild being in place.