Bug 25371

Summary:	Dovecot security issue CVE-2019-11500 - Fixed in 2.2.36.4 and 2.3.7.2
Product:	Mageia	Reporter:	Stig-Ørjan Smelror <smelror>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, herman.viaene, mageia, sysadmin-bugs, tmb
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6TOO MGA7-64-OK MGA6-64-OK
Source RPM:		CVE:	CVE-2019-11500
Status comment:	Fixed in 2.2.36.4 and 2.3.7.2

Description Stig-Ørjan Smelror 2019-08-28 18:44:36 CEST

CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

Reference
https://dovecot.org/pipermail/dovecot/2019-August/116875.html

Stig-Ørjan Smelror 2019-08-28 18:45:25 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed in 2.2.36.4 and 2.3.7.2
CVE: (none) => CVE-2019-11500

Stig-Ørjan Smelror 2019-08-28 18:54:20 CEST

Whiteboard: MGA7TOO => MGA7TOO, MGA6TOO

Comment 1 Stig-Ørjan Smelror 2019-08-28 20:38:19 CEST

Advisory
========

This update fixes CVE-2019-11500.

CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes.


References
==========

https://dovecot.org/pipermail/dovecot/2019-August/116875.html


Files
=====

Uploaded to core/updates_testing

dovecot-2.3.7.2-1.mga7
dovecot-pigeonhole-2.3.7.2-1.mga7
dovecot-pigeonhole-devel-2.3.7.2-1.mga7
dovecot-plugins-pgsql-2.3.7.2-1.mga7
dovecot-plugins-mysql-2.3.7.2-1.mga7
dovecot-plugins-ldap-2.3.7.2-1.mga7
dovecot-plugins-gssapi-2.3.7.2-1.mga7
dovecot-plugins-sqlite-2.3.7.2-1.mga7
dovecot-devel-2.3.7.2-1.mga7

from dovecot-2.3.7.2-1.mga7.src.rpm

Assignee: smelror => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 2 Stig-Ørjan Smelror 2019-08-28 20:41:08 CEST

Advisory
========

This update fixes CVE-2019-11500.

CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes.


References
==========

https://dovecot.org/pipermail/dovecot/2019-August/116875.html


Files
=====

Uploaded to core/updates_testing

dovecot-2.2.36.4-1.mga6
dovecot-pigeonhole-2.2.36.4-1.mga6
dovecot-pigeonhole-devel-2.2.36.4-1.mga6
dovecot-plugins-pgsql-2.2.36.4-1.mga6
dovecot-plugins-mysql-2.2.36.4-1.mga6
dovecot-plugins-ldap-2.2.36.4-1.mga6
dovecot-plugins-gssapi-2.2.36.4-1.mga6
dovecot-plugins-sqlite-2.2.36.4-1.mga6
dovecot-devel-2.2.36.4-1.mga6

from dovecot-2.2.36.4-1.mga6.src.rpm

Comment 3 David Walser 2019-08-28 22:27:45 CEST

Ubuntu has issued an advisory for this today (August 28):
https://usn.ubuntu.com/4110-1/

Comment 4 David Walser 2019-08-29 13:28:13 CEST

Did you also update the bundled pigeonhole to 0.5.7.2?  See this thread:
https://www.openwall.com/lists/oss-security/2019/08/28/3

Keywords: (none) => feedback

Comment 5 Stig-Ørjan Smelror 2019-08-29 13:55:34 CEST

(In reply to David Walser from comment #4)
> Did you also update the bundled pigeonhole to 0.5.7.2?  See this thread:
> https://www.openwall.com/lists/oss-security/2019/08/28/3

Yes. I forgot it once and now I always check if it's updated as well.

Stig

David Walser 2019-08-29 14:15:44 CEST

Keywords: feedback => (none)

Comment 6 PC LX 2019-08-31 22:39:15 CEST

Installed and tested without issues.

System: Mageia 7, x86_64, Intel CPU.

E-mail Clients: kmail (Mageia 7), k9 (Android), roundcubemail (php/webmail).

Tested using an e-mail account with several gigabytes of emails, many emails and folders. 

$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-2.3.7.2-1.mga7
dovecot-pigeonhole-2.3.7.2-1.mga7
$ systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-08-31 21:35:25 WEST; 1min 50s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 18959 (dovecot)
   Memory: 22.4M
   CGroup: /system.slice/dovecot.service
           ├─18959 /usr/sbin/dovecot -F
           ├─18963 dovecot/anvil
           ├─18964 dovecot/log
           ├─18965 dovecot/imap-login
           ├─18966 dovecot/config
           ├─18967 dovecot/stats
           ├─18978 dovecot/imap
           ├─19022 dovecot/imap-login
           └─19025 dovecot/imap

ago 31 21:35:25 marte systemd[1]: Started Dovecot IMAP/POP3 email server.
ago 31 21:35:25 marte dovecot[18959]: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
CC: (none) => mageia

Comment 7 Herman Viaene 2019-09-07 11:30:52 CEST

MGA6-64 Plasma on Lenovo B50
No installation issues
Followed test as per bug 22793 Comment 6. Sending and receiving mail worked OK.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2019-09-07 14:11:26 CEST

Validating. Advisories in Comments 1 and 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-08 15:21:02 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-09-08 16:10:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0261.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED