CLD-249 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
dovecot |
Deficiency Type |
SECURITY |
Date Created |
2018-01-25 15:49:38 |
Date Last Modified |
2018-01-25 19:01:34 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in dovecot-2.2.33.2-i686-3 |
Cucumber 1.0 x86_64 | fixed in dovecot-2.2.33.2-x86_64-3 |
Cucumber 1.1 i686 |
fixed in dovecot-2.2.33.2-i686-3 |
Cucumber 1.1 x86_64 |
fixed in dovecot-2.2.33.2-x86_64-3 |
Details:
=================================== Overview ===================================
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL
authentication results in a memory leak in dovecot's auth client used by login
processes. The leak has impact in high performance configuration where same
login processes are reused and can cause the process to crash due to memory
exhaustion.
================================ Initial Report ================================
From oss-security@lists.openwall.com:
Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected versions: 2.0 up to 2.2.33 and 2.3.0
Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)
We have identified a memory leak in Dovecot auth client used by login
processes. The leak has impact in high performance configuration where
same login processes are reused and can cause the process to crash due to
memory exhaustion.
Patch to apply this issue can be found from
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
To our best knowledge, this patch should apply to all versions.
This issue can be mitigated on vulnerably systems by limiting login process to
single request per process, which is also the default value.
Regards,
Aki Tuomi
Dovecot oy
================================= Our Analysis =================================
----- Affected Products -----
Dovecot 2.0 up and including to 2.2.33 and 2.3.0 that have not had the patch
from
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
applied are vulnerable to this. This includes dovecot as originally packaged in
Cucumber Linux 1.0 and 1.1.
----- Scope and Impact of this Vulnerability -----
This vulnerability can be used to cause a denial of service in certain high
performance configurations. It should be noted that the default configuration
is not affected; only systems that have been explicitly configured to resue
the login process are vulnerable.
----- Fix for this Vulnerability -----
This vulnerability had been fixed in dovecot versions 2.2.34 and 2.3.1 (as of
Thu Jan 25 16:29:32 EST 2018 these have not been released yet). It can also be
fixed by applying the patch from
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch.
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.