From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <455FA6A1.2020701@parkheights.dyndns.org> Date: Sat, 18 Nov 2006 19:34:41 -0500 From: sergey ivanov User-Agent: Thunderbird 1.5.0.5 (X11/20060822) MIME-Version: 1.0 To: ALT Linux Sisyphus discussion list X-Enigmail-Version: 0.94.1.0 Content-Type: multipart/mixed; boundary="------------000500050607050403060202" Subject: [sisyphus] I: dovecot-1.0-alt8-rc15 X-BeenThere: sisyphus@lists.altlinux.org X-Mailman-Version: 2.1.9rc1 Precedence: list Reply-To: ALT Linux Sisyphus discussion list List-Id: ALT Linux Sisyphus discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Nov 2006 00:37:17 -0000 Archived-At: List-Archive: List-Post: This is a multi-part message in MIME format. --------------000500050607050403060202 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable =F7=D3=C5=CD =D0=D2=C9=D7=C5=D4! =E1=D7=D4=CF=D2 (=F4=C9=CD=CF =F3=C9=D2=C1=CA=CE=C5=CE) =D0=D2=C5=C4=CC=C1= =C7=C1=C5=D4 =CF=C2=CE=CF=D7=C9=D4=D8 =C4=CF=D7=C5=CB=CF=D4 =C4=CF =CE=CF= =D7=CF=CA =D7=C5=D2=D3=C9=C9 =C9=CC=C9 =D0=CF =CB=D2=C1=CA=CE=C5=CA =CD=C5=D2=C5 =D5=D3=D4=C1=CE=CF=D7=C9=D4=D8 INDEX=3DMEMORY =DE=D4=CF=C2=D9= =DA=C1=CB=D2=D9=D4=D8 =D0=CF=D4=C5=CE=C3=C9=C1=CC=D8=CE=D5=C0 =D5=D1=DA=D7= =C9=CD=CF=D3=D4=D8 =D7 =D0=D2=C5=C4=D9=C4=D5=DD=C9=C8 =D7=C5=D2=D3=C9=D1=C8 =C4=CF=D7=C5=CB=CF=D4=C1. =F7 incoming =CE=C1=D0=D2= =C1=D7=CC=C5=CE=C1 =C9=D3=D0=D2=C1=D7=CC=C5=CE=CE=C1=D1 =D7=C5=D2=D3=C9=D1= rc15, =D7 =CB=CF=D4=CF=D2=CF=CA =DC=D4=C1 =D5=D1=DA=D7=C9=CD=CF=D3=D4=D8 =CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4. --=20 =F3=C5=D2=C7=C5=CA --------------000500050607050403060202 Content-Type: message/rfc822; name*0="[Dovecot-news] Security hole #2: Off-by-one buffer overflow with"; name*1=" mmap_disable=yes" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename*0="[Dovecot-news] Security hole #2: Off-by-one buffer overflow "; filename*1="with mmap_disable=yes" Return-Path: X-Original-To: seriv@parkheights.dyndns.org Delivered-To: seriv@parkheights.dyndns.org Received: from localhost (localhost.localdomain [127.0.0.1]) by alt64.menlo (Postfix) with ESMTP id AA465141D301 for ; Sat, 18 Nov 2006 19:16:04 -0500 (EST) X-Virus-Scanned: amavisd-new at parkheights.dyndns.org Received: from alt64.menlo ([127.0.0.1]) by localhost (parkheights.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lHy5TI+OmeNn for ; Sat, 18 Nov 2006 19:16:02 -0500 (EST) Authentication-Results: parkheights.dyndns.org sender=dovecot-news-bounces@dovecot.org; domainkey=neutral (no signature; no policy for dovecot.org) Received: from dovecot.org (dovecot.org [213.157.71.38]) by alt64.menlo (Postfix) with ESMTP id 47236141D300 for ; Sat, 18 Nov 2006 19:16:02 -0500 (EST) Received: from talvi.dovecot.org (localhost [127.0.0.1]) by dovecot.org (Postfix) with ESMTP id 2E9B0F0C57; Sun, 19 Nov 2006 02:19:10 +0200 (EET) X-Original-To: dovecot-news@dovecot.org Delivered-To: dovecot-news@dovecot.org Received: from hurina (a88-113-54-243.elisa-laajakaista.fi [88.113.54.243]) by dovecot.org (Postfix) with ESMTP id 272E1F0C0D; Sun, 19 Nov 2006 02:19:05 +0200 (EET) From: Timo Sirainen To: dovecot-news@dovecot.org, dovecot@dovecot.org Date: Sun, 19 Nov 2006 02:17:36 +0200 Message-Id: <1163895456.8783.317.camel@hurina> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 Subject: [Dovecot-news] Security hole #2: Off-by-one buffer overflow with mmap_disable=yes X-BeenThere: dovecot-news@dovecot.org X-Mailman-Version: 2.1.8 Precedence: list Reply-To: dovecot@dovecot.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7151560796224883354==" Mime-version: 1.0 Sender: dovecot-news-bounces@dovecot.org Errors-To: dovecot-news-bounces@dovecot.org X-DSPAM-Result: Whitelisted X-DSPAM-Processed: Sat Nov 18 19:16:06 2006 X-DSPAM-Confidence: 0.9992 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 500,455fa246105711894315876 X-DSPAM-Factors: 27, Content-Type*multipart/signed, 0.00046, Content-Type*signature", 0.00046, Content-Type*signature, 0.00047, Content-Type*protocol="application/pgp+signature", 0.00048, Content-Type*protocol="application/pgp, 0.00048, Content-Type*application/pgp+signature, 0.00048, Content-Type*application/pgp, 0.00048, Content-Type*micalg=pgp, 0.00049, Content-Type*sha1, 0.00049, Content-Type*micalg=pgp+sha1, 0.00049, Content-Transfer-Encoding*quoted, 0.00064, Content-Transfer-Encoding*printable, 0.00064, Content-Transfer-Encoding*quoted+printable, 0.00064, X-Mailman-Version*2.1.8, 0.00068, Content-Type*multipart/signed+micalg=pgp, 0.00070, Sender*bounces+dovecot.org, 0.00075, Authentication-Results*parkheights.dyndns.org+sender=dovecot, 0.00075, Authentication-Results*bounces+dovecot.org, 0.00075, Sender*dovecot, 0.00075, X-BeenThere*dovecot.org, 0.00075, Received*from+talvi.dovecot.org, 0.00075, Received*talvi.dovecot.org, 0.00075, Errors-To*dovecot.org, 0.00075, Received*talvi.dovecot.org+(localhost, 0.00075, X-BeenThere*dovecot, 0.00075, Errors-To*bounces+dovecot.org, 0.00075, Authentication-Results*dovecot.org, 0.00075 --===============7151560796224883354== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-NDwRMMNGMi4bryLu9HOq" --=-NDwRMMNGMi4bryLu9HOq Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Version: 1.0test53 .. 1.0.rc14 (ie. all 1.0alpha, 1.0beta and 1.0rc versions so far). 0.99.x versions are safe (they don't even have mmap_disable setting). Problem: When mmap_disable=3Dyes setting is used, dovecot.index.cache file is read to memory using "file cache" code. It contains a "mapped pages" bitmask buffer. In some conditions when updating the buffer it allocates one byte too little. Exploitability: I think it's going to be pretty difficult to cause anything else than a crash, but I wouldn't say impossible. Only logged in IMAP/POP3 users can exploit this. In theory you might be able to exploit this for other users as well by sending them a lot of specially crafted emails, but this requires knowing what dovecot.index.cache file contains. Normally its contents can't be predicted, although perhaps with POP3 users it gets empty often enough that the exploit could be tried. Then again, the exploit requires having at least 4MB cache file, which won't happen with POP3 users before the mailbox has about 170k mails (if I counted right). With IMAP the cache file is used more, so it's easier to fill the 4MB with for example a lot of To-headers. Workaround: Use INDEX=3DMEMORY so the cache files aren't used at all. Fix: 1.0.rc15 fixes this. You can also use this patch: http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff --=-NDwRMMNGMi4bryLu9HOq Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBFX6KfyUhSUUBViskRAsEEAKCjAjy/aY+sZeN6xIfg+wdixKzpBQCfRdlz rAWsCtoaE4DS1uOQ6a+9w9g= =MD1c -----END PGP SIGNATURE----- --=-NDwRMMNGMi4bryLu9HOq-- --===============7151560796224883354== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Dovecot-news mailing list Dovecot-news@dovecot.org http://dovecot.org/cgi-bin/mailman/listinfo/dovecot-news --===============7151560796224883354==-- --------------000500050607050403060202--