[Secure-testing-team] Bug#803223: 2.2.19 changelog mentions pop3_deleted_flag security bug since 2.2.10
Anthony DeRobertis
anthony at derobert.net
Wed Oct 28 06:24:14 UTC 2015
Source: dovecot
Version: 1:2.2.13-12~deb8u1
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According the the Dovecot 2.2.19 changelog:
* pop3_deleted_flag has been broken since v2.2.10. Using it would
cause buffer overflows, which could be exploitable. However, this
bug would have become visible quite soon after users had deleted
some POP3 mails, because the pop3 processes would have started
crashing all the time even in normal use.
That sounds like a security fix that should be backported to stable.
Unfortunately they haven't put it on their security page, nor can I find
a CVE for it.
I would guess this is the patch: http://hg.dovecot.org/dovecot-2.2/rev/05e0700daea3
While upstream doubts there are any exploitable installations, seems to
me it could be a problem on smaller servers, where the admin may have
enabled it despite POP3 being seldom (if ever) used. Mainly, because had
I not read that changelog, I would have just created such an
installation.
- -- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (130, 'unstable'), (120, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlYwagcACgkQ+z+IwlXqWf4MfwCfbsTQc97qfz2zzKMU+4pXFz3R
PlIAn3Y7sfLvjCjI9fzd0SYTowpADgjl
=5DAd
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list