Bug 1180406 (CVE-2020-25275) - VUL-1: CVE-2020-25275: dovecot22,dovecot23: Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822
Summary: VUL-1: CVE-2020-25275: dovecot22,dovecot23: Mail delivery / parsing crashed w...
Status: RESOLVED FIXED
Alias: CVE-2020-25275
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/274103/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25275:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-28 13:40 UTC by Wolfgang Frisch
Modified: 2021-09-30 11:54 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Wolfgang Frisch 2020-12-29 16:00:25 UTC
This bug (CVE-2020-25275) was introduced with the fix for CVE-2020-12100, which we have not applied yet:
https://bugzilla.suse.com/show_bug.cgi?id=1174920

Technically we're not affected, but I'm setting the tracking to "affected" nevertheless, so that we don't miss it, once bsc#1174920 is fixed.

SUSE:SLE-12:Update      dovecot22  Affected
SUSE:SLE-15:Update      dovecot23  Affected
SUSE:SLE-15-SP1:Update  dovecot23  Affected
SUSE:SLE-15-SP2:Update  dovecot23  Affected
Comment 8 Wolfgang Frisch 2021-01-04 14:31:27 UTC
via oss-security:

Open-Xchange Security Advisory 2021-01-04

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-4113 (Bug ID)
Vulnerability type: CWE-20: Improper Input Validation
Vulnerable version: 2.3.11-2.3.11.3
Vulnerable component: lda, lmtp, imap
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.13
Vendor notification: 2020-09-10
Solution date: 2020-09-14
Public disclosure: 2021-01-04
CVE reference: CVE-2020-25275
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Researcher credit: Innokentii Sennovskiy (Rumata888) from BI.ZONE

Vulnerability Details:

Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.

Risk:

Malicious sender can crash dovecot repeatedly by sending / uploading
message with more than 10 000 MIME parts.

Workaround:

These are usually dropped by MTA, where the mitigation can also be applied.

Solution:

Operators should update to 2.3.13 or later version.
Comment 9 Swamp Workflow Management 2021-01-05 20:16:59 UTC
SUSE-SU-2021:0028-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1174922,1174923,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-12673,CVE-2020-12674,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    dovecot23-2.3.11.3-17.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-01-05 20:19:26 UTC
SUSE-SU-2021:0029-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    dovecot23-2.3.11.3-4.32.1
SUSE Linux Enterprise Server 15-LTSS (src):    dovecot23-2.3.11.3-4.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    dovecot23-2.3.11.3-4.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    dovecot23-2.3.11.3-4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-01-05 20:20:32 UTC
SUSE-SU-2021:0027-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    dovecot23-2.3.11.3-21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-01-07 20:18:25 UTC
openSUSE-SU-2021:0026-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    dovecot23-2.3.11.3-lp152.2.6.1
Comment 13 Swamp Workflow Management 2021-01-16 14:16:09 UTC
openSUSE-SU-2021:0072-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174920,1180405,1180406
CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    dovecot23-2.3.11.3-lp151.2.15.1
Comment 15 Gianluca Gabrielli 2021-09-14 16:00:10 UTC
SUSE:SLE-12:Update/dovecot22 is still flagged as affected, can you please submit the fix?
Comment 16 Wolfgang Frisch 2021-09-30 11:54:39 UTC
CVE-2020-12100 (bsc#1174920) was declared WONTFIX for SLE-12/dovecot22,
which in turn means that SLE-12/dovecot22 is not affected by CVE-2020-25275, which would have been introduced by patching the former.