Bug 469813 (CVE-2008-4907)

Summary: CVE-2008-4907 dovecot: per-user DoS via message with malformed headers
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dan, jlieskov, mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4907
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:32:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-11-04 08:22:46 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4907 to the following vulnerability:

The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the
FETCH ENVELOPE command in the IMAP client, allows remote attackers to
cause a denial of service (persistent crash) via an email with a
malformed From address, which triggers an assertion error, aka
"invalid message address parsing bug."

References:
http://www.dovecot.org/list/dovecot-news/2008-October/000089.html
http://www.securityfocus.com/bid/31997
http://secunia.com/advisories/32479
http://xforce.iss.net/xforce/xfdb/46227
Comment 1 Tomas Hoger 2008-11-04 08:28:14 UTC 
Original report on the dovecot mailinglist:
  http://dovecot.org/list/dovecot/2008-October/034658.html

Upstream commit:
  http://hg.dovecot.org/dovecot-1.1/rev/48840b2d4b18
Comment 2 Tomas Hoger 2008-11-04 08:29:00 UTC 
Original report additionally mentions another commit fixing "similar problem":
  http://hg.dovecot.org/dovecot-1.1/rev/04fdaa2f831e
  http://dovecot.org/pipermail/dovecot/2008-September/033736.html

We should look how this can be triggered and which versions are affected.
Comment 3 Jan Lieskovsky 2008-11-11 10:49:49 UTC 
The CVE-2008-4907 affects only the version of the Dovecot package, as shipped with Fedora release of 10. Maintainer, please upgrade, to the latest upstream 1.1.6 version.
Comment 4 Michal Hlavinka 2008-11-11 13:16:10 UTC 
(In reply to comment #3)
> The CVE-2008-4907 affects only the version of the Dovecot package, as shipped
> with Fedora release of 10. Maintainer, please upgrade, to the latest upstream
> 1.1.6 version.

It's sitting in dist-f10-update-candidate and waiting for rel-eng to retag with dist-f10-final
Comment 7 Tomas Hoger 2010-03-29 09:32:03 UTC 
https://www.redhat.com/security/data/cve/CVE-2008-4907.html