Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 709386 (CVE-2020-7046, CVE-2020-7957) - ~net-mail/dovecot-2.3.9.2: multiple vulnerabilities (CVE-2020-{7046,7957})
Summary: ~net-mail/dovecot-2.3.9.2: multiple vulnerabilities (CVE-2020-{7046,7957})
Status: RESOLVED FIXED
Alias: CVE-2020-7046, CVE-2020-7957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2020/q1/71
Whiteboard: ~3 [noglsa cve]
Keywords:
: 709482 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-02-12 14:25 UTC by filip ambroz
Modified: 2020-04-11 18:38 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-12 14:25:21 UTC
CVE-2020-7046:
A denial of service has been found in Dovecot prior to 2.3.9.3, where lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP (where it doesn't matter so much) and also for submission-login where unauthenticated users can trigger it.

CVE-2020-7957:
A denial of service have been found in Dovecot prior to 2.3.9.3, where a specially crafted e-mail can cause a mailbox to have permanently inaccessible mail, or the e-mail itself can be stuck in delivery. This happens because the snippet generation crashes if a message is large enough that message-parser returns multiple body blocks, the first block(s) don't contain the full snippet (e.g. full of whitespace) and the input ends with '>'.

Solution:
Upgrade to 2.3.9.3

References:
https://seclists.org/oss-sec/2020/q1/72
https://seclists.org/oss-sec/2020/q1/72
https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-7046
https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-7957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
Comment 1 Hank Leininger 2020-02-12 17:59:17 UTC
FYI, just copying the existing 2.3.9.2 -> 2.3.9.3 and rebuilding seems to work fine.

I don't know if it is considered helpful, or bad form, to submit a PR for a maintained package.  I will do so, but tell me if I should stop ;)
Comment 3 Larry the Git Cow gentoo-dev 2020-02-13 10:22:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bd3540c37952e7ea38c17232411834884708b9c

commit 5bd3540c37952e7ea38c17232411834884708b9c
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2020-02-12 17:58:51 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-02-13 10:22:21 +0000

    net-mail/dovecot: bump to fix CVE-2020-7046, CVE-2020-7957
    
    Simple bump from 2.3.9.2.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/709386
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest               |   1 +
 net-mail/dovecot/dovecot-2.3.9.3.ebuild | 286 ++++++++++++++++++++++++++++++++
 2 files changed, 287 insertions(+)
Comment 4 filip ambroz 2020-02-13 11:05:54 UTC
stablereq 2.3.9.3 (security team please correct me if this was wrong step to do)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-13 13:15:16 UTC
*** Bug 709482 has been marked as a duplicate of this bug. ***
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-13 13:26:36 UTC
No stable version affected.

@ Maintainer(s): Please cleanup and drop =net-mail/dovecot-2.3.8!
Comment 7 Larry the Git Cow gentoo-dev 2020-02-14 05:44:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83b213b07bce1b76cc090b0be6d263df4a7413d1

commit 83b213b07bce1b76cc090b0be6d263df4a7413d1
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-02-14 05:43:18 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-02-14 05:43:18 +0000

    net-mail/dovecot: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/709386
    Package-Manager: Portage-2.3.88, Repoman-2.3.20
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest               |   1 -
 net-mail/dovecot/dovecot-2.3.9.2.ebuild | 286 --------------------------------
 2 files changed, 287 deletions(-)
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-14 13:11:33 UTC
GLSA Vote: No!

Repository is clean, all done!