Bug 24588 - dovecot new security issue CVE-2019-7524
Summary: dovecot new security issue CVE-2019-7524
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-28 21:58 CET by David Walser
Modified: 2019-04-10 23:26 CEST (History)
7 users (show)

See Also:
Source RPM: dovecot-2.2.36.1-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 2.2.36.3


Attachments

Description David Walser 2019-03-28 21:58:27 CET
Upstream has released 2.2.36.3 and 2.3.5.1 today (March 28), fixing a security issue:
https://www.dovecot.org/list/dovecot-news/2019-March/000402.html
https://www.dovecot.org/list/dovecot-news/2019-March/000401.html

Mageia 6 is also affected.
David Walser 2019-03-28 21:58:40 CET

Status comment: (none) => Fixed upstream in 2.2.36.3 and 2.3.5.1

David Walser 2019-03-28 21:58:45 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-03-29 08:09:43 CET
Assigning to our registered dovecot maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2019-03-29 14:46:50 CET
Full advisory for the security issue:
https://www.openwall.com/lists/oss-security/2019/03/28/1
Comment 3 David Walser 2019-03-30 20:10:45 CET
Debian has issued an advisory for this on March 28:
https://www.debian.org/security/2019/dsa-4418
Comment 4 Stig-Ørjan Smelror 2019-03-31 19:53:50 CEST
Dovecot update to 2.3.5.1 on Cauldron.

CC: (none) => smelror

Stig-Ørjan Smelror 2019-03-31 19:55:41 CEST

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Status comment: Fixed upstream in 2.2.36.3 and 2.3.5.1 => Fixed upstream in 2.2.36.3
Source RPM: dovecot-2.3.5-1.mga7.src.rpm => dovecot-2.2.36.1-1.mga6.src.rpm
Assignee: shlomif => smelror

Comment 5 Stig-Ørjan Smelror 2019-03-31 20:10:46 CEST
Advisory
========

Dovecot has been updated to version 2.2.36.3 to fix a security issue.

CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files.


References
==========
https://nvd.nist.gov/vuln/detail/CVE-2019-7524
https://www.dovecot.org/list/dovecot-news/2019-March/000402.html


Files
=====

Uploaded to core/updates_testing

dovecot-2.2.36.3-1.mga6
dovecot-devel-2.2.36.3-1.mga6
dovecot-pigeonhole-2.2.36.3-1.mga6
dovecot-pigeonhole-devel-2.2.36.3-1.mga6
dovecot-plugins-gssapi-2.2.36.3-1.mga6
dovecot-plugins-ldap-2.2.36.3-1.mga6
dovecot-plugins-mysql-2.2.36.3-1.mga6
dovecot-plugins-pgsql-2.2.36.3-1.mga6
dovecot-plugins-sqlite-2.2.36.3-1.mga6

from dovecot-2.2.36.3-1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 6 PC LX 2019-04-01 11:10:59 CEST
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

E-mail Clients: kmail (Mageia 6), roundcubemail (php/webmail), k9 (Android).

Tested with an e-mail account with gigabytes of emails, many thousands of emails and hundreds of folders. 

Will wait for more tests before marking it OK.



$ uname -a
Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-pigeonhole-2.2.36.3-1.mga6
dovecot-2.2.36.3-1.mga6
$ systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled)
   Active: active (running) since Seg 2019-04-01 09:04:51 WEST; 1h 2min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 4406 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
  Process: 4411 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
 Main PID: 4415 (dovecot)
      CPU: 4.320s
   CGroup: /system.slice/dovecot.service
           ├─4415 /usr/sbin/dovecot
           ├─4417 dovecot/anvil
           ├─4418 dovecot/log
           └─4421 dovecot/config
<SNIP>

CC: (none) => mageia

Comment 7 PC LX 2019-04-03 20:54:47 CEST
This update has been in use for several days without issues, so I'm going to give it the OK for x86_64 (see comment #6 for test details).

Whiteboard: (none) => MGA6-64-OK

Comment 8 Herman Viaene 2019-04-05 13:58:24 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Repeated test of squirrelmail as per bug 24454, since this uses dovecot.
All tests OK.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2019-04-10 02:59:08 CEST
Thanks, guys. Validating. Suggested advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-04-10 21:52:19 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2019-04-10 23:26:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0141.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.