#9115 closed enhancement (fixed)
dovecot-2.2.29
| Reported by: | Owned by: | Pierre Labastie | |
|---|---|---|---|
| Priority: | high | Milestone: | 8.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (6)
comment:1 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 years ago
| Priority: | normal → high |
|---|
Note:
See TracTickets
for help on using tickets.
Security fix in this version: https://www.dovecot.org/pipermail/dovecot-news/2017-April/000342.html
CVSS: 6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H) Vulnerable versions: 2.2.26 - 2.2.28 Fixed version(s): 2.2.29 Broken by a3783f8a3c9cd816b51e77a922f82301512fcf22 Fixed by 000030feb7a30f193197f1aab8a7b04a26b42735 Dovecot supports "dict" passdb and userdb: https://wiki2.dovecot.org/AuthDatabase/Dict When these were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang. Excessive memory usage could be done with e.g. %09999999999u as the username. Because by default Dovecot limits the auth process's VSZ and exits on any memory allocation failure, the auth process typically dies afterwards and is immediately restarted. This may result in some user authentications getting temporary internal failures. Excessive CPU usage could be done with %{pkcs5;rounds=100000000:user} variable introduced in v2.2.27.