Bug 1438676 (CVE-2017-2669) - CVE-2017-2669 dovecot: Dovecot DoS when passdb dict was used for authentication
Summary: CVE-2017-2669 dovecot: Dovecot DoS when passdb dict was used for authentication
Status: CLOSED NOTABUG
Alias: CVE-2017-2669
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20170410,reported=2...
Keywords: Security
Depends On: 1441457
Blocks: 1438677
TreeView+ depends on / blocked
 
Reported: 2017-04-04 07:50 UTC by Adam Mariš
Modified: 2019-06-08 21:53 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-04-11 05:44:56 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-04-04 07:50:15 UTC
When "dict" passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.

This issue was introduced by:

https://github.com/dovecot/core/commit/a3783f8a3c9cd816b51e77a922f82301512fcf22

Upstream patch:

https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch

Vulnerable versions: 2.2.26 - 2.2.28

Comment 1 Adam Mariš 2017-04-04 07:50:22 UTC
Acknowledgments:

Name: the Dovecot project

Comment 5 Doran Moppert 2017-04-12 01:58:46 UTC
According to analysis conducted by Red Hat and Debian, and acknowledged by the Dovecot project, versions prior to 2.2.26 were not affected by this issue.

Comment 6 Doran Moppert 2017-04-12 01:58:58 UTC
Statement:

Versions of dovecot shipped in Red Hat Enterprise Linux 5, 6 and 7 are not affected by this vulnerability.

Comment 7 Doran Moppert 2017-04-12 01:59:28 UTC
Created dovecot tracking bugs for this issue:

Affects: fedora-all [bug 1441457]


Note You need to log in before you can comment on or make changes to this bug.