Bug 1438676 (CVE-2017-2669)

Summary: CVE-2017-2669 dovecot: Dovecot DoS when passdb dict was used for authentication
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dexter, janfrode, mhlavink, pokorra.mailinglists, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dovecot 2.2.29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-11 05:44:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1441457    
Bug Blocks: 1438677    

Description Adam Mariš 2017-04-04 07:50:15 UTC 
When "dict" passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.

This issue was introduced by:

https://github.com/dovecot/core/commit/a3783f8a3c9cd816b51e77a922f82301512fcf22

Upstream patch:

https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch

Vulnerable versions: 2.2.26 - 2.2.28
Comment 1 Adam Mariš 2017-04-04 07:50:22 UTC 
Acknowledgments:

Name: the Dovecot project
Comment 5 Doran Moppert 2017-04-12 01:58:46 UTC 
According to analysis conducted by Red Hat and Debian, and acknowledged by the Dovecot project, versions prior to 2.2.26 were not affected by this issue.
Comment 6 Doran Moppert 2017-04-12 01:58:58 UTC 
Statement:

Versions of dovecot shipped in Red Hat Enterprise Linux 5, 6 and 7 are not affected by this vulnerability.
Comment 7 Doran Moppert 2017-04-12 01:59:28 UTC 
Created dovecot tracking bugs for this issue:

Affects: fedora-all [bug 1441457]