Bug 1438676 (CVE-2017-2669) - CVE-2017-2669 dovecot: Dovecot DoS when passdb dict was used for authentication
Summary: CVE-2017-2669 dovecot: Dovecot DoS when passdb dict was used for authentication
Alias: CVE-2017-2669
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1441457
Blocks: 1438677
TreeView+ depends on / blocked
Reported: 2017-04-04 07:50 UTC by Adam Mariš
Modified: 2021-02-17 02:23 UTC (History)
5 users (show)

Fixed In Version: dovecot 2.2.29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-04-11 05:44:56 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-04-04 07:50:15 UTC
When "dict" passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.

This issue was introduced by:


Upstream patch:


Vulnerable versions: 2.2.26 - 2.2.28

Comment 1 Adam Mariš 2017-04-04 07:50:22 UTC

Name: the Dovecot project

Comment 5 Doran Moppert 2017-04-12 01:58:46 UTC
According to analysis conducted by Red Hat and Debian, and acknowledged by the Dovecot project, versions prior to 2.2.26 were not affected by this issue.

Comment 6 Doran Moppert 2017-04-12 01:58:58 UTC

Versions of dovecot shipped in Red Hat Enterprise Linux 5, 6 and 7 are not affected by this vulnerability.

Comment 7 Doran Moppert 2017-04-12 01:59:28 UTC
Created dovecot tracking bugs for this issue:

Affects: fedora-all [bug 1441457]

Note You need to log in before you can comment on or make changes to this bug.