CVE request: Dovecot remote DoS on TLS connections

[Hanno Böck <hanno () hboeck de>]

Hi,

The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

An example where this is triggered is if the server is configured to
not allow SSLv3 connections and a client tries to connect with SSLv3
only.

The reason is that the error handling routine will try to finish the
handshake and that will crash. Details here:
http://dovecot.org/pipermail/dovecot/2015-April/100618.html

I had created a patch, one of the dovecot devs created a more thorough
patch that will probably catch more error states properly:
http://dovecot.org/tmp/diff
(url likely not stable)
Nothing is applied yet I think.

I think this deserves a CVE.


There is a related issue in openssl: It will crash instead of throwing
an error if one tries to use a connection context that already failed.
One could argue that this is not an openssl issue, because apps need to
properly check errors. Matt Caswell has created a patch to let openssl
handle these situations more gracefully:
https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature