Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601452 (CVE-2016-8652) - <net-mail/dovecot-2.2.27: remote crash when auth-policy component is activated
Summary: <net-mail/dovecot-2.2.27: remote crash when auth-policy component is activated
Status: RESOLVED FIXED
Alias: CVE-2016-8652
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-2669
  Show dependency tree
 
Reported: 2016-12-02 13:49 UTC by Agostino Sarubbo
Modified: 2017-07-16 01:31 UTC (History)
3 users (show)

See Also:
Package list:
=net-mail/dovecot-2.2.27 =app-text/libexttextcat-3.4.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-12-02 13:49:12 UTC
From ${URL} :

Important vulnerability in Dovecot (CVE-2016-8652)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): 2.2.25.1 up to 2.2.26.1
Fixed in: 2.2.27.1rc1

Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.

If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.

Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.




@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-12-04 22:39:06 UTC
@ Maintainer(s): Dovecot v2.2.27 is now released, see http://dovecot.org/list/dovecot-news/2016-December/000333.html

From announcement:

> Note that the download URLs are now https with a certificate from Let's Encrypt.

So you can also adjust SRC_URI to use HTTPS.


And I am not convinced that we aren't affected. According to the advisory,

> Affected version(s): 2.2.25.1 up to 2.2.26.1

We have v2.2.25. But if you see the fixes,

https://github.com/dovecot/core/commit/1f2c35da2b96905bec6e45f88af0f33ee63789e6
https://github.com/dovecot/core/commit/2c3f37672277b1f73f84722802aaa0ab1ab3e413

then you don't see one of these files touched between v2.2.25 and v2.2.25.1, see https://github.com/dovecot/core/compare/2.2.25...2.2.25.1

So if v2.2.25.1 is vulnerable, I would expect that our v2.2.25 is affected as well.

I'll ping upstream to ask for clarification.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-05 11:25:31 UTC
Upstream replied: Their advisory is wrong and previous versions (including our v2.2.25) are affected!


@ Maintainer(s): Please bump to >=net-mail/dovecot-2.2.27
Comment 3 Eray Aslan gentoo-dev 2016-12-06 14:48:07 UTC
Arches, please test and mark stable
=net-mail/dovecot-2.2.27

Target Keywords = alpha amd64 arm hppa ppc ppc64 ~s390 x86

Alpha, arm, hppa, ppc and ppc64 will need to stabilize
=app-text/libexttextcat-3.4.4
as well.  It is as an optional dependency via textcat USEFLAG
Comment 4 Tobias Klausmann gentoo-dev 2016-12-12 15:57:55 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-13 11:06:51 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-13 11:32:13 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-12-17 15:35:20 UTC
arm stable
Comment 8 Nick Wallingford 2016-12-23 20:18:55 UTC
Shouldn't #601880 block stabilization?
Comment 9 Thomas Deutschmann gentoo-dev Security 2016-12-23 20:51:10 UTC
(In reply to Nick Wallingford from comment #8)
> Shouldn't #601880 block stabilization?

No, this is a libressl problem and libressl has no security coverage in Gentoo at the moment (i.e. no stable ebuild) so we don't care.

Also, maintainer(s) can always add a patch which fixes a compilation problem without losing stable keywords.

So no need to block stabilization.
Comment 10 Jeroen Roovers gentoo-dev 2017-01-14 12:26:15 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-15 16:03:58 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:36 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Eray Aslan gentoo-dev 2017-01-18 14:38:36 UTC
Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64 mips sh and sparc (see bug #564484)

Rest punted from the tree.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-18 23:02:52 UTC
(In reply to Eray Aslan from comment #13)
> Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64
> mips sh and sparc (see bug #564484)
> 
> Rest punted from the tree.

Thanks for the info.  Once it is able to security masked or cleaned just let us know.
Comment 15 Thomas Deutschmann gentoo-dev Security 2017-01-19 21:35:51 UTC
GLSA Vote: No
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-21 07:46:45 UTC
Why was ia64/sparc not CC'ed for stable here?  I missed that as well, but unsure of the reasoning.
Comment 17 Thomas Deutschmann gentoo-dev Security 2017-01-21 10:45:06 UTC
(In reply to Aaron Bauman from comment #16)
> Why was ia64/sparc not CC'ed for stable here?  I missed that as well, but
> unsure of the reasoning.

dovecot dropped keywords on ia64 and sparc in the past and is awaiting re-keywording, see depending bug 564484.
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-02-01 02:42:34 UTC
@maintainer(s), please consider dropping keywords or masking the old version.  Thanks.
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-16 01:31:55 UTC
=net-mail/dovecot-2.2.19 is only for ia64/sparc which are not security supported.  No other arches will be impacted with the ebuild being in place.