Bug 22468

Summary: dovecot new security issue CVE-2017-15132
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Source RPM: dovecot-2.3.0-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-01-26 06:10:09 CET 
Upstream has issued an advisory on January 25:
http://openwall.com/lists/oss-security/2018/01/25/4

The issue will be fixed in 2.2.34 and 2.3.1.

The upstream commit to fix the issue is linked in the message above.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-26 06:10:20 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-01-26 07:04:58 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => mageia, marja11
Assignee: bugsquad => pkg-bugs

Marc Krämer 2018-01-26 11:07:50 CET

Assignee: pkg-bugs => mageia

Comment 2 Marc Krämer 2018-01-26 12:28:00 CET 
I have uploaded a patched package for Mageia 5/6.

Suggested advisory:
========================

Updated dovecote packages fix security vulnerabilities:

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. (CVE-2017-15132).


References:
========================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132

Updated packages in core/updates_testing:
========================
mga5:
dovecot-2.2.13-5.4.mga5
dovecot-pigeonhole-2.2.13-5.4.mga5
dovecot-pigeonhole-devel-2.2.13-5.4.mga5
dovecot-plugins-pgsql-2.2.13-5.4.mga5
dovecot-plugins-mysql-2.2.13-5.4.mga5
dovecot-plugins-ldap-2.2.13-5.4.mga5
dovecot-plugins-gssapi-2.2.13-5.4.mga5
dovecot-plugins-sqlite-2.2.13-5.4.mga5
dovecot-devel-2.2.13-5.4.mga5

mga6:
dovecot-2.2.29.1-1.1.mga6
dovecot-pigeonhole-2.2.29.1-1.1.mga6
dovecot-pigeonhole-devel-2.2.29.1-1.1.mga6
dovecot-plugins-pgsql-2.2.29.1-1.1.mga6
dovecot-plugins-mysql-2.2.29.1-1.1.mga6
dovecot-plugins-ldap-2.2.29.1-1.1.mga6
dovecot-plugins-gssapi-2.2.29.1-1.1.mga6
dovecot-plugins-sqlite-2.2.29.1-1.1.mga6
dovecot-devel-2.2.29.1-1.1.mga6
dovecot-debuginfo-2.2.29.1-1.1.mga6

Source RPMs: 
dovecot-2.2.13-5.4.mga5.src.rpm
dovecot-2.2.29.1-1.1.mga6.src.rpm
Marc Krämer 2018-01-26 12:28:27 CET

Assignee: mageia => qa-bugs

Thomas Backlund 2018-01-26 13:34:53 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => tmb

Comment 3 David Walser 2018-01-26 14:37:41 CET 
Please also include the URL in Comment 0 in the references.

Whiteboard: (none) => MGA5TOO

Comment 4 PC LX 2018-01-27 11:22:21 CET 
Installed and tested without issues.

Tested using kmail/akonadi and k9/Android to access several GB of e-mails on the dovecot server.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot | sort
dovecot-2.2.29.1-1.1.mga6
dovecot-pigeonhole-2.2.29.1-1.1.mga6

CC: (none) => mageia

Comment 5 Herman Viaene 2018-01-30 16:38:25 CET 
MGA5-32 on Dell Latitude D600 Xfce
No insallation issues.
Ref bug 17162 Comment 3 for testing
At CLI:
# systemctl start dovecot

# systemctl -l status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since di 2018-01-30 16:26:52 CET; 19s ago
 Main PID: 6194 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─6194 /usr/sbin/dovecot -F
           ├─6221 dovecot/anvil
           ├─6222 dovecot/log
           ├─6223 dovecot/ssl-params
           ├─6224 dovecot/config
           └─6227 dovecot/ssl-params

jan 30 16:26:57 xxxx.yyyy.zzzz dovecot[6194]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled)
jan 30 16:27:08 xxxx.yyyy.zzzz dovecot[6222]: ssl-params: Generating SSL parameters

# doveconf protocols listen
protocols = imap pop3 lmtp
listen = *

# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
close
Connection closed by foreign host.

Looks OK

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 6 David Walser 2018-01-31 12:05:44 CET 
A problem was found with the upstream fix and corrected in a new commit:
http://openwall.com/lists/oss-security/2018/01/31/1

Keywords: (none) => feedback

Comment 7 Marc Krämer 2018-01-31 15:24:53 CET 
new Advisory:


I have uploaded a patched package for Mageia 5/6.

Suggested advisory:
========================

Updated dovecote packages fix security vulnerabilities:

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. (CVE-2017-15132).


References:
========================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132
http://openwall.com/lists/oss-security/2018/01/25/4
http://openwall.com/lists/oss-security/2018/01/31/1

Updated packages in core/updates_testing:
========================
dovecot-2.2.13-5.6.mga5
dovecot-pigeonhole-2.2.13-5.6.mga5
dovecot-pigeonhole-devel-2.2.13-5.6.mga5
dovecot-plugins-pgsql-2.2.13-5.6.mga5
dovecot-plugins-mysql-2.2.13-5.6.mga5
dovecot-plugins-ldap-2.2.13-5.6.mga5
dovecot-plugins-gssapi-2.2.13-5.6.mga5
dovecot-plugins-sqlite-2.2.13-5.6.mga5
dovecot-devel-2.2.13-5.6.mga5

mga6:
dovecot-2.2.29.1-1.2.mga6
dovecot-pigeonhole-2.2.29.1-1.2.mga6
dovecot-pigeonhole-devel-2.2.29.1-1.2.mga6
dovecot-plugins-pgsql-2.2.29.1-1.2.mga6
dovecot-plugins-mysql-2.2.29.1-1.2.mga6
dovecot-plugins-ldap-2.2.29.1-1.2.mga6
dovecot-plugins-gssapi-2.2.29.1-1.2.mga6
dovecot-plugins-sqlite-2.2.29.1-1.2.mga6
dovecot-devel-2.2.29.1-1.2.mga6
dovecot-debuginfo-2.2.29.1-1.2.mga6

Source RPMs: 
dovecot-2.2.13-5.6.mga5.src.rpm
dovecot-2.2.29.1-1.2.mga6.src.rpm

Keywords: feedback => (none)
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO

Comment 8 Herman Viaene 2018-02-01 15:18:09 CET 
Repeated tests as per Comment 5 above. OK

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 9 Herman Viaene 2018-02-02 10:15:26 CET 
MGA6-32 on Dell Latitude D600 Mate
No installation issues
Same tests as above, same results.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 10 Dave Hodgins 2018-02-06 05:02:24 CET 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2018-02-06 07:26:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0114.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED