Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 723786 (CVE-2020-10957, CVE-2020-10958, CVE-2020-10967) - <net-mail/dovecot- Multiple vulnerabilities (CVE-2020-{10957,10958,10967})
Summary: <net-mail/dovecot- Multiple vulnerabilities (CVE-2020-{10957,10958,1...
Alias: CVE-2020-10957, CVE-2020-10958, CVE-2020-10967
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: 727244 CVE-2020-12100, CVE-2020-12673, CVE-2020-12674
  Show dependency tree
Reported: 2020-05-18 15:54 UTC by Hanno Böck
Modified: 2021-01-21 18:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2020-05-18 15:54:45 UTC

Multiple issues allow crashing daemons or cause memory corruption.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 18:03:25 UTC
@maintainer(s), please bump to
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 18:03:43 UTC
- CVE-2020-10957: lmtp/submission: A client can crash the server by
 sending a NOOP command with an invalid string parameter. This occurs
 particularly for a parameter that doesn't start with a double quote.
 This applies to all SMTP services, including submission-login, which
 makes it possible to crash the submission service without
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
 commands can cause the server to access freed memory, which can lead
 to a server crash. This happens when the server closes the connection
 with a "421 Too many invalid commands" error. The bad command limit
 depends on the service (lmtp or submission) and varies between 10 to
 20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
 address that has the empty quoted string as local-part causes the
 lmtp service to crash.
Comment 3 Larry the Git Cow gentoo-dev 2020-05-20 08:07:23 UTC
The bug has been referenced in the following commit(s):

commit abe60da18906a3343a6f5cea4f653d129fbc7ff1
Author:     Eray Aslan <>
AuthorDate: 2020-05-20 08:05:38 +0000
Commit:     Eray Aslan <>
CommitDate: 2020-05-20 08:06:36 +0000

    net-mail/dovecot: security bump to
    and fix automagic dependency on libunwind
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Eray Aslan <>

 net-mail/dovecot/Manifest                |   1 +
 net-mail/dovecot/dovecot- | 288 +++++++++++++++++++++++++++++++
 2 files changed, 289 insertions(+)
Comment 4 Eray Aslan gentoo-dev 2020-05-20 08:12:47 UTC
Arches, please test and mark stable

Target Keywords = ~alpha amd64 arm hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-20 12:53:25 UTC
(In reply to Eray Aslan from comment #4)
> Arches, please test and mark stable

Comment 6 Agostino Sarubbo gentoo-dev 2020-05-21 07:56:32 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-05-21 07:59:24 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-21 08:01:15 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-21 08:09:37 UTC
x86 stable
Comment 10 Rolf Eike Beer archtester 2020-05-26 17:42:34 UTC
~hppa is ok
Comment 11 NATTkA bot gentoo-dev 2020-08-31 23:09:06 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2020-09-01 06:30:58 UTC Comment hidden (obsolete)
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-06 00:57:34 UTC
GLSA Vote: No
Comment 14 NATTkA bot gentoo-dev 2020-12-13 03:43:32 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2020-12-13 03:45:12 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2020-12-14 01:25:15 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2020-12-21 14:25:09 UTC
Unable to check for sanity:

> no match for package: =net-mail/dovecot-
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-21 18:01:24 UTC
Cleanup done so all done here, but still depending on an open test failure..