Arch Linux Security Advisory ASA-202005-9
========================================
Severity: High
Date    : 2020-05-19
CVE-ID  : CVE-2020-10957 CVE-2020-10958 CVE-2020-10967
Package : dovecot
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1162

Summary
======
The package dovecot before version 2.3.10.1-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
=========
Upgrade to 2.3.10.1-1.

# pacman -Syu "dovecot>=2.3.10.1-1"

The problems have been fixed upstream in version 2.3.10.1.

Workaround
=========
None.

Description
==========
- CVE-2020-10957 (denial of service)

A NULL-pointer dereference issue has been found in Dovecot before
2.3.10.1 in the lmtp/submission component. A client can crash the
server by sending a NOOP command with an invalid string parameter. This
occurs particularly for a parameter that doesn't start with a double
quote. This applies to all SMTP services, including submission-login,
which makes it possible to crash the submission service without
authentication.

- CVE-2020-10958 (arbitrary code execution)

A security issue has been found in Dovecot before 2.3.10.1 in the
lmtp/submission component. Sending many invalid or unknown commands can
cause the server to access freed memory, which can lead to a server
crash. This happens when the server closes the connection with a "421
Too many invalid commands" error. The bad command limit depends on the
service (lmtp or submission) and varies between 10 to 20 bad commands.

- CVE-2020-10967 (denial of service)

A security issue has been found in Dovecot before 2.3.10.1 in the
lmtp/submission component. An authenticated attacker could send an
e-mail via the submission service with empty quoted localpart which
would cause the submission or lmtp component to crash. An
unauthenticated attacker could send an e-mail with a bad sender or
recipient address, causing the e-mail to be passed to LMTP for delivery
and then crash the LMTP component unless some kind of filtering has
been set up on the MTA level.

Impact
=====
A remote, unauthenticated attacker can crash the server, causing a
denial of service. Under certain circumstances it might be possible for
a remote attacker to execute arbitrary code on the affected host.

References
=========
https://dovecot.org/pipermail/dovecot-news/2020-May/000437.html
https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
https://github.com/dovecot/core/commit/d143ca6b7ee1196ae3eafffbf6dee71a95a5e0b8
https://github.com/dovecot/core/commit/606724bd528b92347dce580d3ab48fc1e3c2f4d7
https://github.com/dovecot/core/commit/aedb205c79395de77127fb7166b29b09319df23c
https://github.com/dovecot/core/commit/874817b169d19a4ae51d80ad5798a396bfe90136
https://github.com/dovecot/core/commit/5efeccc10beccbf8d7700adec1278f97d416cbc6
https://github.com/dovecot/core/commit/2b4f1e47a4ca8a192bf3f7e944c0ad07b21b2ed1
https://github.com/dovecot/core/commit/563bf21d8228a3c06c63b3f289a90ca3d0c579a4
https://github.com/dovecot/core/commit/18d5837748d3eafe56e080653d5ed0b3e221be0b
https://github.com/dovecot/core/commit/063462d588eaea6f266596fae5f5470792dcc98d
https://github.com/dovecot/core/commit/b34002a4ca301ed94cd944ee3504287ed7e58031
https://github.com/dovecot/core/commit/92d9690da195b6ceaa878ab1df6c7c31a75f63f8
https://github.com/dovecot/core/commit/cbab48f174580bfb8d49321d8d336f96a231b0cd
https://security.archlinux.org/CVE-2020-10957
https://security.archlinux.org/CVE-2020-10958
https://security.archlinux.org/CVE-2020-10967

ArchLinux: 202005-9: dovecot: multiple issues

May 23, 2020

Summary

- CVE-2020-10957 (denial of service) A NULL-pointer dereference issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication.
- CVE-2020-10958 (arbitrary code execution)
A security issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands.
- CVE-2020-10967 (denial of service)
A security issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. An authenticated attacker could send an e-mail via the submission service with empty quoted localpart which would cause the submission or lmtp component to crash. An unauthenticated attacker could send an e-mail with a bad sender or recipient address, causing the e-mail to be passed to LMTP for delivery and then crash the LMTP component unless some kind of filtering has been set up on the MTA level.

Resolution

Upgrade to 2.3.10.1-1. # pacman -Syu "dovecot>=2.3.10.1-1"
The problems have been fixed upstream in version 2.3.10.1.

References

https://dovecot.org/pipermail/dovecot-news/2020-May/000437.html https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html https://github.com/dovecot/core/commit/d143ca6b7ee1196ae3eafffbf6dee71a95a5e0b8 https://github.com/dovecot/core/commit/606724bd528b92347dce580d3ab48fc1e3c2f4d7 https://github.com/dovecot/core/commit/aedb205c79395de77127fb7166b29b09319df23c https://github.com/dovecot/core/commit/874817b169d19a4ae51d80ad5798a396bfe90136 https://github.com/dovecot/core/commit/5efeccc10beccbf8d7700adec1278f97d416cbc6 https://github.com/dovecot/core/commit/2b4f1e47a4ca8a192bf3f7e944c0ad07b21b2ed1 https://github.com/dovecot/core/commit/563bf21d8228a3c06c63b3f289a90ca3d0c579a4 https://github.com/dovecot/core/commit/18d5837748d3eafe56e080653d5ed0b3e221be0b https://github.com/dovecot/core/commit/063462d588eaea6f266596fae5f5470792dcc98d https://github.com/dovecot/core/commit/b34002a4ca301ed94cd944ee3504287ed7e58031 https://github.com/dovecot/core/commit/92d9690da195b6ceaa878ab1df6c7c31a75f63f8 https://github.com/dovecot/core/commit/cbab48f174580bfb8d49321d8d336f96a231b0cd https://security.archlinux.org/CVE-2020-10957 https://security.archlinux.org/CVE-2020-10958 https://security.archlinux.org/CVE-2020-10967

Severity
Package : dovecot
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1162

Workaround

None.

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved