Bug 1075608 - (CVE-2017-15132) VUL-0: CVE-2017-15132: dovecot,dovecot22: auth client leaks memory if SASL authentication is aborted.
(CVE-2017-15132)
VUL-0: CVE-2017-15132: dovecot,dovecot22: auth client leaks memory if SASL au...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Varkoly
Security Team bot
CVSSv3:SUSE:CVE-2017-15132:5.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-11 14:52 UTC by Victor Pereira
Modified: 2018-03-07 13:10 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2018-01-25 11:05:50 UTC
public now via oss-sec:

Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected versions: 2.0 up to 2.2.33 and 2.3.0
Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)

We have identified a memory leak in Dovecot auth client used by login
processes. The leak has impact in high performance configuration where
same login processes are reused and can cause the process to crash due to memory exhaustion.

Patch to apply this issue can be found from https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch

To our best knowledge, this patch should apply to all versions.

This issue can be mitigated on vulnerably systems by limiting login process to single request per process, which is also the default value.

Regards,
Aki Tuomi
Dovecot oy
Comment 4 Marcus Meissner 2018-01-31 08:38:22 UTC
Team Debian has found an issue with our patch. Dovecot login process would crash after few minutes of idle after consecutive aborted logins.

This is fixed with https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch

We would like to thank Apollon and Salvatore for raising this to our attention. 

Aki Tuomi
Dovecot oy
Comment 5 Johannes Segitz 2018-02-15 12:24:17 UTC
Please submit for this. Thank you.
Comment 6 Johannes Segitz 2018-02-15 12:25:16 UTC
(In reply to Johannes Segitz from comment #5)
... for package "dovecot"
Comment 7 Swamp Workflow Management 2018-02-16 20:08:20 UTC
SUSE-SU-2018:0466-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1075608
CVE References: CVE-2017-15132
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    dovecot22-2.2.31-19.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    dovecot22-2.2.31-19.5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    dovecot22-2.2.31-19.5.1
SUSE Linux Enterprise Server 12-SP3 (src):    dovecot22-2.2.31-19.5.1
SUSE Linux Enterprise Server 12-SP2 (src):    dovecot22-2.2.31-19.5.1
Comment 8 Swamp Workflow Management 2018-02-20 17:12:27 UTC
openSUSE-SU-2018:0492-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1075608
CVE References: CVE-2017-15132
Sources used:
openSUSE Leap 42.3 (src):    dovecot22-2.2.31-2.3.1
Comment 9 Johannes Segitz 2018-02-27 16:22:42 UTC
(In reply to Johannes Segitz from comment #6)
Please ignore, it's only a base package.
Comment 10 Marcus Meissner 2018-02-28 08:11:06 UTC
done
Comment 11 Swamp Workflow Management 2018-03-07 13:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1075608) was mentioned in
https://build.opensuse.org/request/show/583874 Factory / dovecot23