* [Sysadmins] Fwd: [sisyphus] I: dovecot-1.0-alt8-rc15
@ 2006-11-19 10:47 Michael Shigorin
0 siblings, 0 replies; only message in thread
From: Michael Shigorin @ 2006-11-19 10:47 UTC (permalink / raw)
To: sysadmins
----- Forwarded message from sergey ivanov <seriv/parkheights.dyndns.org> -----
Date: Sat, 18 Nov 2006 19:34:41 -0500
From: sergey ivanov <seriv/parkheights.dyndns.org>
To: ALT Linux Sisyphus discussion list <sisyphus/lists.altlinux.org>
Subject: [sisyphus] I: dovecot-1.0-alt8-rc15
Всем привет!
Автор (Тимо Сирайнен) предлагает обновить довекот до новой версии или по крайней
мере установить INDEX=MEMORY чтобы закрыть потенциальную уязвимость в предыдущих
версиях довекота. В incoming направлена исправленная версия rc15, в которой эта
уязвимость отсутствует.
--
Сергей
Date: Sun, 19 Nov 2006 02:17:36 +0200
From: Timo Sirainen <tss/iki.fi>
To: dovecot-news/dovecot.org, dovecot/dovecot.org
Subject: [Dovecot-news] Security hole #2: Off-by-one buffer overflow with mmap_disable=yes
Version: 1.0test53 .. 1.0.rc14 (ie. all 1.0alpha, 1.0beta and 1.0rc
versions so far).
0.99.x versions are safe (they don't even have mmap_disable setting).
Problem: When mmap_disable=yes setting is used, dovecot.index.cache file
is read to memory using "file cache" code. It contains a "mapped pages"
bitmask buffer. In some conditions when updating the buffer it allocates
one byte too little.
Exploitability: I think it's going to be pretty difficult to cause
anything else than a crash, but I wouldn't say impossible. Only logged
in IMAP/POP3 users can exploit this.
In theory you might be able to exploit this for other users as well by
sending them a lot of specially crafted emails, but this requires
knowing what dovecot.index.cache file contains. Normally its contents
can't be predicted, although perhaps with POP3 users it gets empty often
enough that the exploit could be tried. Then again, the exploit requires
having at least 4MB cache file, which won't happen with POP3 users
before the mailbox has about 170k mails (if I counted right).
With IMAP the cache file is used more, so it's easier to fill the 4MB
with for example a lot of To-headers.
Workaround: Use INDEX=MEMORY so the cache files aren't used at all.
Fix: 1.0.rc15 fixes this. You can also use this patch:
http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff
_______________________________________________
Dovecot-news mailing list
Dovecot-news/dovecot.org
http://dovecot.org/cgi-bin/mailman/listinfo/dovecot-news
_______________________________________________
Sisyphus mailing list
Sisyphus/lists.altlinux.org
https://lists.altlinux.org/mailman/listinfo/sisyphus
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike@altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-11-19 10:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-11-19 10:47 [Sysadmins] Fwd: [sisyphus] I: dovecot-1.0-alt8-rc15 Michael Shigorin
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git