The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Dovecot IMAP/POP3 Server Buffer Overflow
------------------------------------------------------------------------
SUMMARY
"Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like
systems, written with security primarily in mind. Although it's written in
C, it uses several coding techniques to avoid most of the common
pitfalls."
Dovecot IMAP/POP3 Server suffers from a buffer overflow vulnerability when
mmap_disable=yes setting is used.
DETAILS
Vulnerable Systems:
* Dovecot IMAP/POP3 Server versions 1.0test53 to 1.0.rc14.
Immune Systems:
* Dovecot IMAP/POP3 Server versions 0.99.x (they don't have mmap_disable
setting).
When mmap_disable=yes setting is used (not default), dovecot.index.cache
file is read to memory using "file cache" code. It contains a "mapped
pages" bitmask buffer. In some conditions when updating the buffer it
allocates one byte too little.
Exploitability: It's going to be pretty difficult to cause anything else
than a crash, but not impossible. Only logged in IMAP/POP3 users can
exploit this.
In theory you might be able to exploit this for other users as well by
sending them a lot of specially crafted emails, but this requires knowing
what dovecot.index.cache file contains. Normally its contents can't be
predicted, although perhaps with POP3 users it gets empty often enough
that the exploit could be tried. Then again, the exploit requires having
at least 4MB cache file, which won't happen with POP3 users before the
mailbox has about 170k mails (if I counted right).
With IMAP the cache file is used more, so it's easier to fill the 4MB with
for example a lot of To-headers.
Workaround:
Use INDEX=MEMORY so the cache files aren't used at all.
Fix:
Version 1.0.rc15 fixes this. You can also use this patch:
<http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff>
http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff
ADDITIONAL INFORMATION
The information has been provided by <mailto:tss@iki.fi> Timo Sirainen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
