Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 681922 (CVE-2019-7524) - <net-mail/dovecot- Buffer overflow when reading extension header from dovecot index files
Summary: <net-mail/dovecot- Buffer overflow when reading extension header from...
Alias: CVE-2019-7524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on:
Blocks: CVE-2019-3814
  Show dependency tree
Reported: 2019-03-28 13:16 UTC by Agostino Sarubbo
Modified: 2019-04-19 15:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-28 13:16:24 UTC
From ${URL} :

we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne. Please find patches for v2.2.36 and v2.3.5 attached,
or download new version.

Yours sincerely,
Aki Tuomi
Open-Xchange Oy

Product: Dovecot

Vendor: OX Software GmbH
Internal reference: DOV-2964 (Bug ID)
Vulnerability type: CWE-120
Vulnerable version: 2.0.14 - 2.3.5
Vulnerable component: fts, pop3-uidl-plugin
Report confidence: Confirmed
Researcher credits: Found in internal testing
Solution status: Fixed by Vendor
Fixed version:,
Vendor notification: 2019-02-05
Solution date: 2019-03-21
Public disclosure: 2019-03-28
CVE reference: CVE-2019-7524
CVSS: 3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.8)
Vulnerability Details:
When reading FTS or POP3-UIDL header from dovecot index, the input
buffer size is not bound, and data is copied to target structure causing
stack overflow.

This can be used for local root privilege escalation or executing
arbitrary code in dovecot process context. This requires ability to
directly modify dovecot indexes.
Steps to reproduce:
Produce dovecot.index.log entry that creates an FTS header which has
more than 12 bytes of data.
Trigger dovecot indexer-worker or run doveadm index.
Dovecot will crash.

Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR,
read-only GOT tables and other techniques that make exploiting this bug
much harder.

Operators should update to the latest Patch Release. The only workaround
is to disable FTS and pop3-uidl plugin.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-03-29 14:02:20 UTC
The bug has been referenced in the following commit(s):

commit aebf54df234b6fe8e8879adae952f7603471caae
Author:     Eray Aslan <>
AuthorDate: 2019-03-29 14:01:58 +0000
Commit:     Eray Aslan <>
CommitDate: 2019-03-29 14:01:58 +0000

    net-mail/dovecot: security bump to
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Eray Aslan <>

 net-mail/dovecot/Manifest               |   1 +
 net-mail/dovecot/dovecot- | 294 ++++++++++++++++++++++++++++++++
 2 files changed, 295 insertions(+)
Comment 2 Eray Aslan gentoo-dev 2019-03-29 14:14:29 UTC
Arches, please test and mark stable

TARGET KEYWORDS=alpha amd64 arm ~hppa ia64 ~mips ppc ppc64 s390 ~sparc x86

Thank you
Comment 3 Eray Aslan gentoo-dev 2019-03-29 14:20:13 UTC
missed hppa

TARGET KEYWORDS=alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2019-03-30 10:47:33 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-02 01:38:37 UTC
x86 stable
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 07:07:34 UTC
New GLSA Request filed.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:44:37 UTC
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:48:15 UTC
ia64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:53:41 UTC
ppc64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:20:26 UTC
ppc stable
Comment 11 Markus Meier gentoo-dev 2019-04-08 18:27:43 UTC
arm stable
Comment 12 Rolf Eike Beer archtester 2019-04-08 21:56:29 UTC
hppa stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 12:22:55 UTC
alpha stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 12:23:15 UTC
s390 stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2019-04-17 17:57:33 UTC
@maintainer, please drop vulnerable.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-04-17 18:34:08 UTC
This issue was resolved and addressed in
 GLSA 201904-19 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2019-04-17 18:34:30 UTC
re-opened for cleanup
Comment 18 Eray Aslan gentoo-dev 2019-04-19 06:39:17 UTC
cleanup done