Bug 1174920 (CVE-2020-12100) - VUL-0: CVE-2020-12100: dovecot22,dovecot23: nested MIME parts leads to resource exhaustion
Summary: VUL-0: CVE-2020-12100: dovecot22,dovecot23: nested MIME parts leads to resour...
Status: RESOLVED FIXED
Alias: CVE-2020-12100
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/264781/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-12100:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-05 14:28 UTC by Alexandros Toptsoglou
Modified: 2022-10-23 16:03 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patches (16.10 KB, application/x-xz)
2020-08-05 14:28 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-08-05 14:28:52 UTC
Created attachment 840371 [details]
patches

Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Fixed versions: 2.3.11
Vulnerable component: submission, lmtp, lda
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:

Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it.

Risk:

Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content.

Workaround:

Limit MIME structures in MTA.

Solution:

Upgrade to fixed version.
Comment 4 Peter Varkoly 2020-08-10 10:25:33 UTC
I've problems with a dovecot vul bug: https://bugzilla.suse.com/show_bug.cgi?id=1174920
I can apply the proposed patches only on SLE15 and SLE15_SP1 (dovecot23) not on SLE12 (dovecot22) .
But the patch seems to be buggy. The tests can not be build-
https://build.suse.de/package/live_build_log/home:varkoly:branches:OBS_Maintained:dovecot23/dovecot23.SUSE_SLE-15_Update/SUSE_SLE-15_Update/x86_64
Comment 7 OBSbugzilla Bot 2020-08-13 13:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (1174920) was mentioned in
https://build.opensuse.org/request/show/826276 Factory / dovecot23
Comment 10 Wolfgang Frisch 2020-08-17 15:32:33 UTC
upstream git commits:
d4bb43a08ab9ecfab7249a17279e5f773c8abaad
6d77e00e4d170efde908591dc5871a8e48ea844b
926742088a3c66c11099386b2c6e80999c29f405
e5830ae88531a32db36c97ebf122cba9a39cf801
cb00e21fd70aae49453aedc1bb33c0765ab98667
5ecadd30746d91854b5aa484feff9c70ea91c20b
24f0bfefdbccaaaaab9f52be428648ec3f1c34d3
02c7c6dbb51748a5af8b0c70a499a3ab17de8490
729941c996ee0b0ede40f462c9e34ceb6a6bd049
8dbc754a31fbf7684e858aa1fb633b8dfbeb13cf
a175d654c3bc4d57641b871bbff99c10799b7d67
a676cb539fc1545c58d1341baa2f875f7b694133
0f46088a1af7b493db76a1d97ef4ecc6bb41f5a4
7868f5f49be91fe51795b477a5440e69c1540716
be53a118e789886efcdd57c513651c5148651161
19193f40b1d74e8d4ef88121992b4a61d84773e3
Comment 15 Swamp Workflow Management 2021-01-05 20:16:37 UTC
SUSE-SU-2021:0028-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1174922,1174923,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-12673,CVE-2020-12674,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    dovecot23-2.3.11.3-17.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-01-05 20:19:15 UTC
SUSE-SU-2021:0029-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    dovecot23-2.3.11.3-4.32.1
SUSE Linux Enterprise Server 15-LTSS (src):    dovecot23-2.3.11.3-4.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    dovecot23-2.3.11.3-4.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    dovecot23-2.3.11.3-4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-01-05 20:20:21 UTC
SUSE-SU-2021:0027-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    dovecot23-2.3.11.3-21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2021-01-07 20:18:14 UTC
openSUSE-SU-2021:0026-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    dovecot23-2.3.11.3-lp152.2.6.1
Comment 19 Swamp Workflow Management 2021-01-16 14:15:58 UTC
openSUSE-SU-2021:0072-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    dovecot23-2.3.11.3-lp151.2.15.1
Comment 20 Peter Varkoly 2021-02-16 10:46:25 UTC
Fixed
Comment 23 Peter Varkoly 2021-09-01 12:49:09 UTC
Can/need not be fixed for dovecot22