856733 – (CVE-2022-30550) <net-mail/dovecot-2.3.19.1-r1: privilege escalation when master and non-master passdbs are used

Bug 856733 (CVE-2022-30550) - <net-mail/dovecot-2.3.19.1-r1: privilege escalation when master and non-master passdbs are used

Summary: <net-mail/dovecot-2.3.19.1-r1: privilege escalation when master and non-maste...

Status:	IN_PROGRESS

Alias:	CVE-2022-30550

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://dovecot.org/pipermail/dovecot...
Whiteboard:	B1 [glsa?]
Keywords:

Depends on:	856973
Blocks:
	Show dependency tree

Reported:	2022-07-06 17:18 UTC by John Helmert III
Modified:	2022-07-11 04:31 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-07-06 17:18:00 UTC

"Vulnerability Details: 
When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication.

Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user."

Patches: https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b

Comment 1 Larry the Git Cow gentoo-dev

2022-07-08 06:13:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=921f6d327e0d44ef9967b684763e6794ee818757

commit 921f6d327e0d44ef9967b684763e6794ee818757
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2022-07-08 06:11:58 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2022-07-08 06:11:58 +0000

    net-mail/dovecot: security bump
    
    Bug: https://bugs.gentoo.org/856733
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild | 303 ++++++++++++++++++++++++++++
 net-mail/dovecot/files/CVE-2022-30550.patch | 155 ++++++++++++++
 2 files changed, 458 insertions(+)

Comment 2 John Helmert III archtester

2022-07-08 17:31:13 UTC

Thanks!

Comment 3 Larry the Git Cow gentoo-dev

2022-07-11 04:29:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33894390c6b3e33c46ff367ae4f4bcf40c452be8

commit 33894390c6b3e33c46ff367ae4f4bcf40c452be8
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2022-07-11 04:28:17 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2022-07-11 04:29:08 +0000

    net-mail/dovecot: drop 2.3.18-r1, 2.3.19.1
    
    Bug: https://bugs.gentoo.org/856733
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                 |   2 -
 net-mail/dovecot/dovecot-2.3.18-r1.ebuild | 307 ------------------------------
 net-mail/dovecot/dovecot-2.3.19.1.ebuild  | 302 -----------------------------
 3 files changed, 611 deletions(-)