Re: CVE request: Dovecot DoS in 2.x (fixed in 2.1.11)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/03/2012 10:33 AM, Vincent Danen wrote:
> Could a CVE be assigned for the following please?
>
> Dovecot 2.1.11 was released and includes a fix for a crash
> condition when the IMAP server was issued a SEARCH command with
> multiple KEYWORD parameters.  An authenticated remote user could
> use this flaw to crash Dovecot.
>
> The upstream fix was to remove the keyword merging code.  This
> code does not exist in Dovecot 1.x, but it does affect 2.x
> versions, at least as far back as 2.0.9 (earliest version I
> checked).
>
> References:
>
> http://www.dovecot.org/list/dovecot-news/2012-November/000235.html 
> http://secunia.com/advisories/51455 
> http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843 
> https://bugzilla.redhat.com/show_bug.cgi?id=883060
>
>
> Thanks.

Please use CVE-2012-5620 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQvVf1AAoJEBYNRVNeJnmTm+cP/3EJPDqt7UsmNiL/SEEDoArJ
Jg3FuJCnGrMC3MHiZhmAaaeGErP2qzVsB74X+xeRt6tML/KVbUjlSiMJnFDDYiEV
hNOmlPZKU8h9on84QbkRLTTwGYC64ugwAgihcw8oTQ3djaW1krlBXRkAeqF1iQI5
R8ereH+DGK9fGfBf16fQihhOnawURqP+Ggdmfx/5AqJQRgFnJhJ48ub6CCETA+0f
VtrVph3FBEYphW2J7NhXg8xGT37/dyzTsmNGaSA4kD+B/W5shtqBBdDPND1nMNLD
RwLw6NpkxI6QuOoCgbQsA1VYGdemPr0kNBkspf2kpe441EI+xLz7UdOHn2IT6DM9
28wppRZbjU/Sr1wciRDO6hI5L8VMrtLGf1plkmwvdTBiXh8fUtmLkvVqizFJ1d0K
Z8tE2ZLsaZdLJIH0P5RFi/kPC+PNh5wr785jmSvfZiFEj76Dj5GcxuPDWS/6ahU6
czTbqjeVGtR7KBYjwKSbxVaW4+IZy9H67zBgVlvvA9Goi4mkKo50oYBh1PH6ILVh
YXFlPiSjrblIiwFCUxsBIdJdQ1Wn+9EUNGMfKYlqFXiMK5uqDzglz+/EsZyXCjRi
DMalSuZAgmDUsAFmyrm7pZFf9M2/pyloHnzufgr4m7kL3yFjODj6Bt8rDIkodQz8
+fI9BUILwv3SWtc323iS
=hyvM
-----END PGP SIGNATURE-----