Bug 1171456 (CVE-2020-10967) - VUL-0: CVE-2020-10967: dovecot,dovecot23: Sending mail with empty quoted localpart causes submission or lmtp componentto crash.
Summary: VUL-0: CVE-2020-10967: dovecot,dovecot23: Sending mail with empty quoted loca...
Status: RESOLVED FIXED
Alias: CVE-2020-10967
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv3.1:SUSE:CVE-2020-10967:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-11 11:36 UTC by Marcus Meissner
Modified: 2020-05-26 13:17 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Alexandros Toptsoglou 2020-05-18 14:25:23 UTC
now public through 

https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html

Internal reference: DOV-1745
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 2.3.0 - 2.3.10
Vulnerable component: submission, lmtp
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.10.1
Researcher credits: mailbox.org
Vendor notification: 2020-03-20
Solution date: 2020-04-02
Public disclosure: 2020-05-18
CVE reference: CVE-2020-10967
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
	Sending mail with empty quoted localpart causes submission or lmtp component
	to crash.

Risk:
	Malicious actor can cause denial of service to mail delivery by repeatedly
	sending mails with bad sender or recipient address.

Steps to reproduce:
	Send mail with envelope sender or recipient as ``<""@example.org>``.

Workaround:
	For submission there is no workaround, but triggering the bug requires valid
	credentials.
	For lmtp, one can implement sufficient filtering on MTA level to prevent mails
	with such addresses from ending up in LMTP delivery.

Solution:
	Upgrade to fixed version.
Comment 4 OBSbugzilla Bot 2020-05-18 17:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (1171456) was mentioned in
https://build.opensuse.org/request/show/807017 Factory / dovecot23
Comment 5 Swamp Workflow Management 2020-05-22 10:13:32 UTC
SUSE-SU-2020:1380-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1171456,1171457,1171458
CVE References: CVE-2020-10957,CVE-2020-10958,CVE-2020-10967
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    dovecot23-2.3.10-11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-05-22 10:14:40 UTC
SUSE-SU-2020:1379-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1171456,1171457,1171458
CVE References: CVE-2020-10957,CVE-2020-10958,CVE-2020-10967
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    dovecot23-2.3.10-4.22.1
SUSE Linux Enterprise Server 15-LTSS (src):    dovecot23-2.3.10-4.22.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    dovecot23-2.3.10-4.22.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    dovecot23-2.3.10-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-05-26 13:14:22 UTC
openSUSE-SU-2020:0720-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1171456,1171457,1171458
CVE References: CVE-2020-10957,CVE-2020-10958,CVE-2020-10967
Sources used:
openSUSE Leap 15.1 (src):    dovecot23-2.3.10-lp151.2.9.1
Comment 8 Alexandros Toptsoglou 2020-05-26 13:17:31 UTC
Done