[manjaro-security] [ASA-202005-9] dovecot: multiple issues

Morten Linderud foxboron at archlinux.org
Sat May 23 13:35:38 CEST 2020


Arch Linux Security Advisory ASA-202005-9
=========================================

Severity: High
Date    : 2020-05-19
CVE-ID  : CVE-2020-10957 CVE-2020-10958 CVE-2020-10967
Package : dovecot
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1162

Summary
=======

The package dovecot before version 2.3.10.1-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 2.3.10.1-1.

# pacman -Syu "dovecot>=2.3.10.1-1"

The problems have been fixed upstream in version 2.3.10.1.

Workaround
==========

None.

Description
===========

- CVE-2020-10957 (denial of service)

A NULL-pointer dereference issue has been found in Dovecot before
2.3.10.1 in the lmtp/submission component. A client can crash the
server by sending a NOOP command with an invalid string parameter. This
occurs particularly for a parameter that doesn't start with a double
quote. This applies to all SMTP services, including submission-login,
which makes it possible to crash the submission service without
authentication.

- CVE-2020-10958 (arbitrary code execution)

A security issue has been found in Dovecot before 2.3.10.1 in the
lmtp/submission component. Sending many invalid or unknown commands can
cause the server to access freed memory, which can lead to a server
crash. This happens when the server closes the connection with a "421
Too many invalid commands" error. The bad command limit depends on the
service (lmtp or submission) and varies between 10 to 20 bad commands.

- CVE-2020-10967 (denial of service)

A security issue has been found in Dovecot before 2.3.10.1 in the
lmtp/submission component. An authenticated attacker could send an
e-mail via the submission service with empty quoted localpart which
would cause the submission or lmtp component to crash. An
unauthenticated attacker could send an e-mail with a bad sender or
recipient address, causing the e-mail to be passed to LMTP for delivery
and then crash the LMTP component unless some kind of filtering has
been set up on the MTA level.

Impact
======

A remote, unauthenticated attacker can crash the server, causing a
denial of service. Under certain circumstances it might be possible for
a remote attacker to execute arbitrary code on the affected host.

References
==========

https://dovecot.org/pipermail/dovecot-news/2020-May/000437.html
https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
https://github.com/dovecot/core/commit/d143ca6b7ee1196ae3eafffbf6dee71a95a5e0b8
https://github.com/dovecot/core/commit/606724bd528b92347dce580d3ab48fc1e3c2f4d7
https://github.com/dovecot/core/commit/aedb205c79395de77127fb7166b29b09319df23c
https://github.com/dovecot/core/commit/874817b169d19a4ae51d80ad5798a396bfe90136
https://github.com/dovecot/core/commit/5efeccc10beccbf8d7700adec1278f97d416cbc6
https://github.com/dovecot/core/commit/2b4f1e47a4ca8a192bf3f7e944c0ad07b21b2ed1
https://github.com/dovecot/core/commit/563bf21d8228a3c06c63b3f289a90ca3d0c579a4
https://github.com/dovecot/core/commit/18d5837748d3eafe56e080653d5ed0b3e221be0b
https://github.com/dovecot/core/commit/063462d588eaea6f266596fae5f5470792dcc98d
https://github.com/dovecot/core/commit/b34002a4ca301ed94cd944ee3504287ed7e58031
https://github.com/dovecot/core/commit/92d9690da195b6ceaa878ab1df6c7c31a75f63f8
https://github.com/dovecot/core/commit/cbab48f174580bfb8d49321d8d336f96a231b0cd
https://security.archlinux.org/CVE-2020-10957
https://security.archlinux.org/CVE-2020-10958
https://security.archlinux.org/CVE-2020-10967
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20200523/c75998df/attachment.sig>


More information about the manjaro-security mailing list