644214 – (CVE-2017-15132) <net-mail/dovecot-{2.2.33.2-r1,2.3.0-r2}: auth client leaks memory if SASL authentication is aborted (CVE-2017-15132)

Bug 644214 (CVE-2017-15132) - <net-mail/dovecot-{2.2.33.2-r1,2.3.0-r2}: auth client leaks memory if SASL authentication is aborted (CVE-2017-15132)

Summary: <net-mail/dovecot-{2.2.33.2-r1,2.3.0-r2}: auth client leaks memory if SASL au...

Status:	RESOLVED FIXED

Alias:	CVE-2017-15132

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Low minor (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2018/q1/100
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-01-11 17:12 UTC by Thomas Deutschmann (RETIRED)
Modified:	2018-12-01 00:34 UTC (History)
CC List:	4 users (show)

See Also:
Package list:	=net-mail/dovecot-2.2.33.2-r2 =app-text/libexttextcat-3.4.5 ia64
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-11 17:12:28 UTC

Incoming details.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-25 15:07:36 UTC

Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected versions: 2.0 up to 2.2.33 and 2.3.0
Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)

We have identified a memory leak in Dovecot auth client used by login
processes. The leak has impact in high performance configuration where
same login processes are reused and can cause the process to crash due to memory exhaustion.

Patch to apply this issue can be found from https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch

To our best knowledge, this patch should apply to all versions.

This issue can be mitigated on vulnerably systems by limiting login process to single request per process, which is also the default value.

Comment 2 Larry the Git Cow gentoo-dev

2018-01-25 15:20:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77ef1e767f97fa8377c4e2467082bacbb303d333

commit 77ef1e767f97fa8377c4e2467082bacbb303d333
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-25 15:19:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-25 15:19:40 +0000

    net-mail/dovecot: bump, fixes CVE-2017-15132
    
    Bug: https://bugs.gentoo.org/644214
    Package-Manager: Portage-2.3.20, Repoman-2.3.6
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild        | 291 +++++++++++++++++++++
 net-mail/dovecot/dovecot-2.3.0-r2.ebuild           | 286 ++++++++++++++++++++
 .../files/dovecot-2.2.33.2-CVE-2017-15132.patch    |  14 +
 3 files changed, 591 insertions(+)}

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-25 15:22:32 UTC

@ Arches,

please test and mark stable: =net-mail/dovecot-2.2.33.2-r1

Comment 4 Stabilization helper bot gentoo-dev

2018-01-25 16:01:11 UTC

An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['app-text/libexttextcat']
> dependency.bad net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['app-text/libexttextcat']
> dependency.bad net-mail/dovecot/dovecot-2.2.33.2-r1.ebuild: DEPEND: ia64(default/linux/ia64/17.0/desktop) ['app-text/libexttextcat']

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-25 16:22:09 UTC

@ IA64 AT:

Either stabilize =app-text/libexttextcat-3.4.5 or set package.use.mask for "textcat" USE flag.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-26 18:21:48 UTC

x86 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-01-28 12:48:34 UTC

ia64 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2018-01-28 13:38:49 UTC

amd64 stable

Comment 9 Larry the Git Cow gentoo-dev

2018-02-01 01:18:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3acd4d22b48eca30b27ce4694e4ae1de51fba40

commit e3acd4d22b48eca30b27ce4694e4ae1de51fba40
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-02-01 01:18:17 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-02-01 01:18:17 +0000

    net-mail/dovecot: bump, fixup for problem caused by patch for CVE-2017-15132
    
    Dovecot login process would crash after few minutes of idle after
    consecutive aborted logins when patch for CVE-2017-15132 was applied.
    
    Bug: https://bugs.gentoo.org/644214
    Package-Manager: Portage-2.3.21, Repoman-2.3.6

 net-mail/dovecot/dovecot-2.2.33.2-r2.ebuild        | 292 +++++++++++++++++++++
 net-mail/dovecot/dovecot-2.3.0-r3.ebuild           | 289 ++++++++++++++++++++
 .../dovecot-2.2.33.2-CVE-2017-15132-fixup.patch    |  37 +++
 3 files changed, 618 insertions(+)}

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-01 01:20:26 UTC

Restarting stabilization with =net-mail/dovecot-2.2.33.2-r2.

See http://seclists.org/oss-sec/2018/q1/119.

Comment 11 Agostino Sarubbo gentoo-dev

2018-02-01 14:20:21 UTC

amd64 stable

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-01 20:38:03 UTC

x86 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2018-02-04 22:03:06 UTC

ia64 stable

Comment 14 Markus Meier gentoo-dev

2018-02-05 21:23:46 UTC

arm stable

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-01 19:15:30 UTC

Superseded by bug 648894.

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2018-12-01 00:34:23 UTC

cleanup will happen in bug #648894