Dear subscribers, we have been made aware of two critical vulnerabilities in Dovecot 2.3. Please find patches attached for 2.3.5.2.
--- Aki Tuomi Open-Xchange oy ------ Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3212 (Bug ID) Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30Q CVE reference: CVE-2019-11494 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s). Workaround: There is no available workaround for this issue. Solution: Operators should upgrade to a fixed version. ---- Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3223 (Bug ID) Vulnerability type: CWE-617 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notification: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11499 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s). Workaround: Authentication crash can be avoided if authentication is done without TLS. Solution: Operators should upgrade to a fixed version.
From 754f791dd26313de8d75b740bddd1a192f11bf3f Mon Sep 17 00:00:00 2001 From: Stephan Bosch <stephan.bo...@dovecot.fi> Date: Tue, 23 Apr 2019 00:13:46 +0200 Subject: [PATCH 1/3] submission-login: Remove unused client->pending_starttls. --- src/submission-login/client.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/submission-login/client.h b/src/submission-login/client.h index 1667e158e..e89228432 100644 --- a/src/submission-login/client.h +++ b/src/submission-login/client.h @@ -23,7 +23,7 @@ struct submission_client { enum smtp_capability backend_capabilities; struct smtp_server_connection *conn; - struct smtp_server_cmd_ctx *pending_auth, *pending_starttls; + struct smtp_server_cmd_ctx *pending_auth; enum submission_proxy_state proxy_state; enum smtp_capability proxy_capability; -- 2.11.0
From f79745dae4a9a5fca33320e03a4fc9064b88d01e Mon Sep 17 00:00:00 2001 From: Stephan Bosch <stephan.bo...@dovecot.fi> Date: Tue, 12 Mar 2019 03:18:33 +0100 Subject: [PATCH 2/3] submission-login: client-authenticate - Fix crash occurring when client disconnects during authentication. --- src/submission-login/client-authenticate.c | 3 +++ src/submission-login/client.c | 1 + 2 files changed, 4 insertions(+) diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c index 8b5422f83..6b70701a1 100644 --- a/src/submission-login/client-authenticate.c +++ b/src/submission-login/client-authenticate.c @@ -98,6 +98,9 @@ void submission_client_auth_result(struct client *client, container_of(client, struct submission_client, common); struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth; + if (subm_client->conn == NULL) + return; + subm_client->pending_auth = NULL; i_assert(cmd != NULL); diff --git a/src/submission-login/client.c b/src/submission-login/client.c index 3e45e556c..20b773b9e 100644 --- a/src/submission-login/client.c +++ b/src/submission-login/client.c @@ -212,6 +212,7 @@ static void client_connection_disconnect(void *context, const char *reason) { struct submission_client *client = context; + client->pending_auth = NULL; client_disconnect(&client->common, reason); } -- 2.11.0
From e9d60648abb9bbceff89882a5309cb9532e702e9 Mon Sep 17 00:00:00 2001 From: Stephan Bosch <stephan.bo...@dovecot.fi> Date: Thu, 25 Apr 2019 09:51:32 +0200 Subject: [PATCH 3/3] lib-smtp: smtp-server-cmd-auth - Fix AUTH response error handling so that it stops reading more input. Otherwise, it may try to read more data from the stream as the next AUTH response, which causes an assert crash in the command parser later on. Even when the parser finds no input from the stream, it will advance its state towards AUTH response parsing, which is a problem when the next command is subsequently being parsed. Panic was: Panic: file smtp-command-parser.c: line 438 (smtp_command_parse_next): assertion failed: (!parser->auth_response || parser->state.state == SMTP_COMMAND_PARSE_STATE_INIT || parser->state.state == SMTP_COMMAND_PARSE_STATE_ERROR) --- src/lib-smtp/smtp-server-cmd-auth.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib-smtp/smtp-server-cmd-auth.c b/src/lib-smtp/smtp-server-cmd-auth.c index 24cb55ade..0d8062caa 100644 --- a/src/lib-smtp/smtp-server-cmd-auth.c +++ b/src/lib-smtp/smtp-server-cmd-auth.c @@ -99,6 +99,7 @@ static void cmd_auth_input(struct smtp_server_cmd_ctx *cmd) smtp_server_connection_debug(conn, "Client sent invalid AUTH response: %s", error); + smtp_server_command_input_lock(cmd); switch (error_code) { case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND: conn->input_broken = TRUE; -- 2.11.0
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/