[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2017-15132: dovecot: auth client leaks memory if SASL authentication is abort
From:       Aki Tuomi <aki.tuomi () open-xchange ! com>
Date:       2018-01-31 6:48:28
Message-ID: 1460642161.10860.1517381308655 () appsuite ! open-xchange ! com
[Download RAW message or body]


> On January 25, 2018 at 11:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
> 
> 
> Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> Affected versions: 2.0 up to 2.2.33 and 2.3.0
> Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)
> 
> We have identified a memory leak in Dovecot auth client used by login
> processes. The leak has impact in high performance configuration where
> same login processes are reused and can cause the process to crash due to memory exhaustion.
> 
> Patch to apply this issue can be found from \
> https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch 
> To our best knowledge, this patch should apply to all versions.
> 
> This issue can be mitigated on vulnerably systems by limiting login process to single request \
> per process, which is also the default value. 
> Regards,
> Aki Tuomi
> Dovecot oy

Team Debian has found an issue with our patch. Dovecot login process would crash after few \
minutes of idle after consecutive aborted logins.

This is fixed with https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch


We would like to thank Apollon and Salvatore for raising this to our attention. 

Aki Tuomi
Dovecot oy


[prev in list] [next in list] [prev in thread] [next in thread]