Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702628 (CVE-2019-19722) - ~net-mail/dovecot-2.3.9.2: null pointer dereference with push notifications (CVE-2019-19722)
Summary: ~net-mail/dovecot-2.3.9.2: null pointer dereference with push notifications (...
Status: RESOLVED FIXED
Alias: CVE-2019-19722
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://dovecot.org/pipermail/dovecot...
Whiteboard: ~3 [noglsa]
Keywords:
: 702668 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-12-12 23:18 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-03-25 15:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-12 23:18:25 UTC
Vulnerability Details:
Mail with group address as sender will cause a signal 11 crash in push
notification drivers. Group address as recipient can cause crash in some
drivers.
 
Risk:
Repeated delivery attempts are made for the problematic mail, causing
queueing in MTA.

Fix:
https://github.com/dovecot/core/compare/393a8cabf4dad893bf2ec60bf96cfde7a0c58432%5E..1307766b6f5d97341a47376657d342bcefd10f1b.patch

Upstream will release 2.3.9.1 on Friday 13th of December after 10:00 UTC.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-13 12:34:45 UTC
Note: This doesn't affect any stable dovecot version in Gentoo.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-13 12:37:17 UTC
*** Bug 702668 has been marked as a duplicate of this bug. ***
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-13 14:27:04 UTC
Due to bug in the fix, we had to release 2.3.9.2 which completes the fix for this CVE.

---
Aki Tuomi
Open-Xchange oy
Comment 4 Larry the Git Cow gentoo-dev 2019-12-15 07:33:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab3881879555ecacd65c6c46f0437d4c5a7a66c8

commit ab3881879555ecacd65c6c46f0437d4c5a7a66c8
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-12-15 07:32:30 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-12-15 07:32:30 +0000

    net-mail/dovecot: security bump to 2.3.9.2
    
    Bug: https://bugs.gentoo.org/702628
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest               |   1 +
 net-mail/dovecot/dovecot-2.3.9.2.ebuild | 286 ++++++++++++++++++++++++++++++++
 2 files changed, 287 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-25 01:59:09 UTC
@maintainer(s), please advise if ready for stabilisation, or call for it yourself.
Comment 6 Eray Aslan gentoo-dev 2020-03-25 09:31:34 UTC
Uhm, no stable build was affected and no vulnerable version remains in the tree.  So I was just going to open a regular stabilization bug beg April and not on this bug.

Let me know if this is not how it supposed to work.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-25 13:51:57 UTC
(In reply to Eray Aslan from comment #6)
> Uhm, no stable build was affected and no vulnerable version remains in the
> tree.  So I was just going to open a regular stabilization bug beg April and
> not on this bug.
> 
> Let me know if this is not how it supposed to work.

You are right, my apologies!
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:09:06 UTC
Repository is clean, all done!