Bug 225585

Summary:

mail/dovecot: FOLLOW UP: Fix memory leak in auth_client_request_abort()

Product:

Ports & Packages

Reporter:

VK <vlad-fbsd>

Component:

Individual Port(s)

Assignee:

Adam Weinberger <adamw>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

ports-secteam, zeising

Priority:

---

Keywords:

patch, regression, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (adamw)
vlad-fbsd: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225446

Attachments:

Description	Flags
Fix memory leak and remove request after abort	none

Description VK freebsd_triage

2018-01-31 13:38:38 UTC

Heads up, apparently Debian team found a regression/problem with the fix applied through our bug #225446, and elaborated the fix with the following commit:

* https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22

Noted here:

* http://seclists.org/oss-sec/2018/q1/119

I haven't seen any issues. My build server has had a hardware meltdown yesterday, and I have to bring poudriere up on the new server today, so I'll port this and test in our Dovecot infra.

Comment 1 VK freebsd_triage

2018-01-31 13:43:06 UTC

Note: I badly worded the report, Debian team found the problem in the patch itself, not in FreeBSD's implementation...

Comment 2 Niclas Zeising freebsd_committer

2018-01-31 14:36:55 UTC

I can look at this in a few hours, if noone beats me.  I did the previous commit to dovecot for this vuln.

Comment 3 VK freebsd_triage

2018-02-01 02:17:55 UTC

Created attachment 190239 [details]
Fix memory leak and remove request after abort

Here. Build tested with Poudriere 11.1 amd64.

Have NOT yet tested functionally.

Comment 4 VK freebsd_triage

2018-02-01 02:42:01 UTC

Applied the patch to our Dovecot instances. So far so good. Tested with openssl s_client, aborted auth attempts, don't see any problems yet.

Comment 5 Adam Weinberger freebsd_committer

2018-02-01 05:10:55 UTC

Niclas, please feel free to apply this if needed.

Comment 6 commit-hook freebsd_committer

2018-02-01 13:23:59 UTC

A commit references this bug:

Author: zeising
Date: Thu Feb  1 13:23:41 UTC 2018
New revision: 460590
URL: https://svnweb.freebsd.org/changeset/ports/460590

Log:
  Complete fix for CVE-2017-15132

  Complete fix for CVE-2017-15132, the previous fix was not enough, and caused
  the request to remain after an abort, causing a use-after-free later on.

  PR:		225585
  Submitted by:	Vladimir Krstulja
  Approved by:	adamw (maintainer)
  MFH:		2018Q1

Changes:
  head/mail/dovecot/Makefile
  head/mail/dovecot/files/patch-src_lib-auth_auth-client-request.c
  head/mail/dovecot/files/patch-src_lib-auth_auth-server-connection.c
  head/mail/dovecot/files/patch-src_lib-auth_auth-server-connection.h

Comment 7 commit-hook freebsd_committer

2018-02-01 13:29:05 UTC

A commit references this bug:

Author: zeising
Date: Thu Feb  1 13:28:10 UTC 2018
New revision: 460596
URL: https://svnweb.freebsd.org/changeset/ports/460596

Log:
  MFH: r460590

  Complete fix for CVE-2017-15132

  Complete fix for CVE-2017-15132, the previous fix was not enough, and caused
  the request to remain after an abort, causing a use-after-free later on.

  PR:		225585
  Submitted by:	Vladimir Krstulja
  Approved by:	adamw (maintainer)

  Approved by:	ports-secteam (implicit, security fix)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/mail/dovecot/Makefile
  branches/2018Q1/mail/dovecot/files/patch-src_lib-auth_auth-client-request.c
  branches/2018Q1/mail/dovecot/files/patch-src_lib-auth_auth-server-connection.c
  branches/2018Q1/mail/dovecot/files/patch-src_lib-auth_auth-server-connection.h

Comment 8 Niclas Zeising freebsd_committer

2018-02-01 13:30:21 UTC

Committed, thanks for your submission!