Date: Wed, 22 May 2013 16:20:30 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com CC: Agostino Sarubbo <ago@...too.org> Subject: Re: CVE request: dovecot : "APPEND" Parameters Processing Denial of Service Vulnerability On 05/22/2013 12:28 AM, Agostino Sarubbo wrote: > From the secunia advisory SA53492 : > > Description > A vulnerability has been reported in Dovecot, which can be exploited by > malicious users to cause a DoS (Denial of Service). > > The vulnerability is caused due to an error within IMAP functionality when > processing the "APPEND" parameters and can be exploited to cause a hang. > > The vulnerability is reported in version 2.2. > > > Solution > Update to version 2.2.2. > > Provided and/or discovered by > Reported by the vendor. > > Original Advisory > http://www.dovecot.org/list/dovecot-news/2013-May/000255.html > > Commit: > http://hg.dovecot.org/dovecot-2.2/rev/ea0390e1789f > > : https://secunia.com/advisories/53492/ > Note: I found a similar commit in dovecot-2.2 repo: http://hg.dovecot.org/dovecot-2.2/rev/0b7039a614f7 the commit message says " imap: Fixed assert-crash on invalid APPEND parameters." I am not very familiar with the dovecot code, but taking a brief look suggests that parsing APPEND in some way could result in hitting assert. -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.