Re: CVE-2017-15132: dovecot: auth client leaks memory if SASL authentication is aborted.

[Aki Tuomi <aki.tuomi () open-xchange com>]

> On January 25, 2018 at 11:35 AM Aki Tuomi <aki.tuomi () open-xchange com> wrote:
>
>
> Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> Affected versions: 2.0 up to 2.2.33 and 2.3.0
> Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)
>
> We have identified a memory leak in Dovecot auth client used by login
> processes. The leak has impact in high performance configuration where
> same login processes are reused and can cause the process to crash due to memory exhaustion.
>
> Patch to apply this issue can be found from 
> https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
>
> To our best knowledge, this patch should apply to all versions.
>
> This issue can be mitigated on vulnerably systems by limiting login process to single request per process, which is 
> also the default value.
>
> Regards,
> Aki Tuomi
> Dovecot oy

Team Debian has found an issue with our patch. Dovecot login process would crash after few minutes of idle after 
consecutive aborted logins.

This is fixed with https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch

We would like to thank Apollon and Salvatore for raising this to our attention. 

Aki Tuomi
Dovecot oy