684822 – (CVE-2019-11494, CVE-2019-11499) <net-mail/dovecot-2.3.6 - Submission-login crashes (with signal 11 due to null pointer access when authentication is aborted by disconnecting|when authentication is started over TLS secured channel and invalid authentication message is sent)

Bug 684822 (CVE-2019-11494, CVE-2019-11499) - <net-mail/dovecot-2.3.6 - Submission-login crashes (with signal 11 due to null pointer access when authentication is aborted by disconnecting|when authentication is started over TLS secured channel and invalid authentication message is sent)

Summary: <net-mail/dovecot-2.3.6 - Submission-login crashes (with signal 11 due to nul...

Status:	RESOLVED FIXED

Alias:	CVE-2019-11494, CVE-2019-11499

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-04-30 16:54 UTC by Jeroen Roovers (RETIRED)
Modified:	2019-08-09 21:00 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	net-mail/dovecot-2.3.6
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2019-04-30 16:54:01 UTC

https://dovecot.org/list/dovecot-news/2019-April/000409.html
CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting

https://dovecot.org/list/dovecot-news/2019-April/000410.html
CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent

Comment 1 Hank Leininger 2019-05-01 05:11:06 UTC

FWIW, bumping the current ebuild to 2.3.6 worked here (amd64) with no modifications.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-05-01 07:57:40 UTC

(In reply to Jeroen Roovers from comment #0)
> https://dovecot.org/list/dovecot-news/2019-April/000409.html
> CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer
> access when authentication is aborted by disconnecting
> 
> https://dovecot.org/list/dovecot-news/2019-April/000410.html
> CVE-2019-11499: Submission-login crashes when authentication is started over
> TLS secured channel and invalid authentication message is sent

2.3.6 is not in tree yet. Please do not add the version information to the summary until it is.

Comment 3 Larry the Git Cow gentoo-dev

2019-05-04 05:45:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7323d59995cb41a4bf537beb3d80671048752330

commit 7323d59995cb41a4bf537beb3d80671048752330
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-05-04 05:45:20 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-05-04 05:45:20 +0000

    net-mail/dovecot: security bump to 2.3.6
    
    Bug: https://bugs.gentoo.org/684822
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest             |   2 +
 net-mail/dovecot/dovecot-2.3.6.ebuild | 294 ++++++++++++++++++++++++++++++++++
 2 files changed, 296 insertions(+)

Comment 4 Eray Aslan gentoo-dev

2019-05-04 05:49:09 UTC

Arches, please test and mark stable
=net-mail/dovecot-2.3.5.2

TARGET KEYWORDS=alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sparc x86

Thank you

Comment 5 Agostino Sarubbo gentoo-dev

2019-05-04 12:57:25 UTC

amd64 stable

Comment 6 Rolf Eike Beer archtester

2019-05-07 16:04:17 UTC

hppa stable

Comment 7 Larry the Git Cow gentoo-dev

2019-05-07 20:14:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3414d51126bd2e28f385d8cdd2e801b40f0a551e

commit 3414d51126bd2e28f385d8cdd2e801b40f0a551e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-07 20:13:21 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-07 20:13:32 +0000

    net-mail/dovecot-2.3.6-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/684822
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-mail/dovecot/dovecot-2.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Markus Meier gentoo-dev

2019-05-09 04:45:26 UTC

arm stable

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2019-05-10 13:03:26 UTC

x86 stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-12 22:07:58 UTC

ia64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-06-04 14:37:07 UTC

ppc64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-06-04 18:54:31 UTC

s390 stable.

Maintainer(s), please cleanup.

Comment 13 Agostino Sarubbo gentoo-dev

2019-06-05 07:13:16 UTC

ppc stable.

Maintainer(s), please cleanup.

Comment 14 Eray Aslan gentoo-dev

2019-08-08 05:53:56 UTC

cleanup done.  dovecot-2.2.36.3 is not vulnerable btw.  thank you