CVE-2021-38370: In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS. There's also an issue described on the NO STARTTLS website that says "Crash when LIST or LSUB send before STARTTLS". Both the status of this issue and the CVE are "Unknown (reported via email).
The vulnerability described in this bug was also in the NO STARTTLS report.
Hm. I'm not sure this was ever addressed by upstream. There's another vulnerability in the NO STARTTLS report that doesn't have a CVE, too: "Crash when LIST or LSUB send before STARTTLS"
Just requested a CVE for the second issue and mailed upstream.
Upstream says both of these are fixed by: commit e58edb33f71687cb0b12c10a6cea2db2f8a35011 Author: Eduardo Chappa <chappa@washington.edu> Date: Sun Aug 15 20:53:04 2021 -0600 * The c-client library parses information from an IMAP server during non-authenticated state which could lead to denial of service. Reported by Damian Poddebniak from Münster University of Applied Sciences. Which is in 2.25 and onwards, so we've been fixed for a while.
I got another mail from upstream, and with their consent I'm reproducing the text of it here as context for the CVE, along with my reply: > > Dear John, > > > > I took a look at > > > > https://nvd.nist.gov/vuln/detail/CVE-2021-46853 > > > > and the description of the report says > > > > Alpine before 2.25 allows remote attackers to cause a denial of service > > (daemon crash) when LIST or LSUB is sent before STARTTLS. > > > > Do you mean to say that Alpine sends a LIST or LSUB comand before > > STARTTLS and it is crashing servers? If that is the case, this is wrong. > > Could you please clarify this? > > I didn't write the description. I have in the past for CVEs I've > requested, but stopped once I noticed that MITRE just ended up writing > their own descriptions anyway. I'm not surprised they outright got it > wrong, and even if it were the case that Alpine could crash remote > servers, that would be a vulnerability in the server and not the > software that triggered the crash. I'll attempt to get them to correct > the description. > > Do you mind if I reproduce the text of your email into a comment on > our bugzilla? It will be easier to convince them if I can point to > your saying that it's wrong.
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d167c115f5378da115e01a8dce0dc7d221bf0d80 commit d167c115f5378da115e01a8dce0dc7d221bf0d80 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:18:50 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:06 +0000 [ GLSA 202301-07 ] Alpine: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/807613 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-07.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
GLSA released, all done!
