FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dovecot -- Buffer overflow reading extension header

Affected packages
dovecot < 2.3.5.1

Details

VuXML ID 7862213c-5152-11e9-8b26-a4badb296695
Discovery 2019-02-05
Entry 2019-03-28

Aki Tuomi reports:

Vulnerability Details: When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. Risk: This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes. Steps to reproduce: Produce dovecot.index.log entry that creates an FTS header which has more than 12 bytes of data. Trigger dovecot indexer-worker or run doveadm index. Dovecot will crash. Mitigations: Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR, read-only GOT tables and other techniques that make exploiting this bug much harder.

References

CVE Name CVE-2019-7524
URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7524
URL https://dovecot.org/list/dovecot-news/2019-March/000401.html