Bug 1032248 - (CVE-2017-2669) VUL-0: CVE-2017-2669: dovecot: DoS when passdb dict was used for authentication
(CVE-2017-2669)
VUL-0: CVE-2017-2669: dovecot: DoS when passdb dict was used for authentication
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Varkoly
Security Team bot
https://smash.suse.de/issue/182843/
CVSSv2:SUSE:CVE-2017-2669:5.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-04 08:13 UTC by Alexander Bergmann
Modified: 2017-07-06 22:39 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2017-04-11 15:38:25 UTC
CVSS: 6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)
Vulnerable versions: 2.2.26 - 2.2.28
Fixed version(s): 2.2.29

Broken by a3783f8a3c9cd816b51e77a922f82301512fcf22
Fixed by 000030feb7a30f193197f1aab8a7b04a26b42735
is public


Dovecot supports "dict" passdb and
userdb: https://wiki2.dovecot.org/AuthDatabase/Dict
When these were used for user authentication, the username sent by the
IMAP/POP3 client was sent through var_expand() to perform %variable
expansion. Sending specially crafted %variable fields could result in
excessive memory usage causing the process to crash (and restart), or
excessive CPU usage causing all authentications to hang.

Excessive memory usage could be done with e.g. %09999999999u as the
username. Because by default Dovecot limits the auth process's VSZ and
exits on any memory allocation failure, the auth process typically dies
afterwards and is immediately restarted. This may result in some user
authentications getting temporary internal failures.

Excessive CPU usage could be done with %{pkcs5;rounds=3D100000000:user}
variable introduced in v2.2.27.

Please use this
https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26=
b42735.patch
to fix this issue, it should be applicable to older versions too.
Please let us know if you need assistance in patching.

---
Aki Tuomi
Dovecot oy
Comment 5 Marcus Meissner 2017-04-21 14:27:19 UTC
we can try to take the minor version update without more paperwork.

Lets see if that works.
Comment 6 Marcus Rückert 2017-04-24 16:07:23 UTC
dovecot:   created request id 131687

This brings 2 major fixes:
1. reload support
2. move ssl certs out of /etc/ssl/certs (old bugfix missing in sle)

dovecot22: created request id 131688

This brings all the security and other fixes done since 2.2.13
Comment 10 Swamp Workflow Management 2017-05-11 19:19:07 UTC
SUSE-SU-2017:1250-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1032248,854512,932386
CVE References: CVE-2017-2669
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    dovecot22-2.2.29.1-11.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    dovecot22-2.2.29.1-11.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    dovecot-2.2-3.1, dovecot22-2.2.29.1-11.1
SUSE Linux Enterprise Server 12-SP2 (src):    dovecot-2.2-3.1, dovecot22-2.2.29.1-11.1
SUSE Linux Enterprise Server 12-SP1 (src):    dovecot-2.2-3.1, dovecot22-2.2.29.1-11.1
Comment 11 Andreas Stieger 2017-06-12 12:59:51 UTC
Peter, ping for openSUSE!
Comment 12 Bernhard Wiedemann 2017-06-24 10:00:53 UTC
This is an autogenerated message for OBS integration:
This bug (1032248) was mentioned in
https://build.opensuse.org/request/show/505994 42.2 / dovecot22.4673
Comment 13 Bernhard Wiedemann 2017-06-24 14:00:45 UTC
This is an autogenerated message for OBS integration:
This bug (1032248) was mentioned in
https://build.opensuse.org/request/show/506002 42.2 / dovecot22
Comment 14 Andreas Stieger 2017-07-06 16:20:20 UTC
Release for 42.2, done
Comment 15 Swamp Workflow Management 2017-07-06 22:13:48 UTC
openSUSE-SU-2017:1807-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1032248,854512,932386
CVE References: CVE-2017-2669
Sources used:
openSUSE Leap 42.2 (src):    dovecot22-2.2.30.2-5.4.1