Hi Rainer, On Sa 31 Aug 2019 09:52:47 CEST, Rainer Dorsch wrote:
It almost looks to me that dovecot restarts itself (?) Aug 31 09:49:13 netcup systemd[1]: Stopping Dovecot IMAP/POP3 email server... Aug 31 09:49:13 netcup dovecot[12165]: anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) Aug 31 09:49:13 netcup dovecot[12165]: auth: Error: read(anvil-auth-penalty) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: auth: Error: net_connect_unix(anvil- auth-penalty) failed: Permission denied Aug 31 09:49:13 netcup dovecot[12165]: imap-login: Error: read(anvil) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: imap-login: Error: read(anvil) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: imap: Server shutting down. in=160 out=105576 Aug 31 09:49:13 netcup dovecot[12165]: imap: Server shutting down. in=141 out=1696 Aug 31 09:49:13 netcup systemd[1]: Stopped Dovecot IMAP/POP3 email server. Aug 31 09:49:13 netcup systemd[1]: Starting Dovecot IMAP/POP3 email server... Aug 31 09:49:13 netcup systemd[1]: Started Dovecot IMAP/POP3 email server.Aug 31 09:49:13 netcup dovecot[12180]: master: Dovecot v2.2.13 starting up forimap, sieve (core dumps disabled)
Can you check on /var/run/dovecot and see if those socket files [1] appear / do not appear (they might possibly come and go rapidly, so you need to be a trickster using the watch tool, maybe? Please also let me know what permissions these files have.
Could it be possible by any reason, that /var/run/dovecot is either read-only or out-of-space?
From what I can tell (I looked at the diff between ~deb8u6 and ~deb8u7 and your console output), your issue may be conincidental with the upgrade of the dovecot package in jessie LTS. I am not saying that it is, but it could be. So let's better checkout if something outside of dovecot might be causing this issue.
I have also attached the changes between ~deb8u6 and ~deb8u7 for review by yourself or others. I could not spot anything in the security patches applied that might cause such a severe issue as your report.
It would be interesting if downgrading dovecot back to ~deb8u6 [3] might get this system back into a usable state. If dovecot is the cause of your issue, it very probably will. If not, then something else is going on.
Greets, Mike [1] anvil, anvil-auth-penalty [2] dovecot_2.2.13-12~deb8u6_2.2.13-12~deb8u7.debdiff [3] http://snapshot.debian.org/package/dovecot/1%3A2.2.13-12%7Edeb8u6/#binpkgs -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru dovecot-2.2.13/debian/changelog dovecot-2.2.13/debian/changelog
--- dovecot-2.2.13/debian/changelog 2019-03-29 12:38:40.000000000 +0100
+++ dovecot-2.2.13/debian/changelog 2019-08-29 20:23:16.000000000 +0200
@@ -1,3 +1,16 @@
+dovecot (1:2.2.13-12~deb8u7) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2019-11500
+ - lib-imap: Don't accept strings with NULs
+ - lib-imap: Make sure str_unescape() won't be writing past allocated
+ memory
+ - lib-managesieve: Don't accept strings with NULs
+ - lib-managesieve: Make sure str_unescape() won't be writing past
+ allocated memory
+
+ -- Roberto C. Sanchez <roberto@connexer.com> Thu, 29 Aug 2019 14:23:16 -0400
+
dovecot (1:2.2.13-12~deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch
--- dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch 1970-01-01 01:00:00.000000000 +0100
+++ dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch 2019-08-29 20:23:16.000000000 +0200
@@ -0,0 +1,36 @@
+From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 10 May 2019 19:24:51 +0300
+Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs
+
+IMAP doesn't allow NULs except in binary literals. We'll still allow them
+in regular literals as well, but just not in strings.
+
+This fixes a bug with unescaping a string with NULs: str_unescape() could
+have been called for memory that points outside the allocated string,
+causing heap corruption. This could cause crashes or theoretically even
+result in remote code execution exploit.
+
+Found by Nick Roessler and Rafi Rubin
+[Salvatore Bonaccorso: Backported to 2.2.27: Rename back error field to
+parser->error, which was an upstream change around 2.3.0.rc1 with
+468440fab1a1 ("lib-imap: imap-parser: Renamed error field to
+error_msg.")]
+---
+ src/lib-imap/imap-parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/src/lib-imap/imap-parser.c
++++ b/src/lib-imap/imap-parser.c
+@@ -348,6 +348,11 @@ static int imap_parser_read_string(struc
+ break;
+ }
+
++ if (data[i] == '\0') {
++ parser->error = "NULs not allowed in strings";
++ return FALSE;
++ }
++
+ if (data[i] == '\\') {
+ if (i+1 == data_size) {
+ /* known data ends with '\' - leave it to
diff -Nru dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch
--- dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch 1970-01-01 01:00:00.000000000 +0100
+++ dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch 2019-08-29 20:23:16.000000000 +0200
@@ -0,0 +1,33 @@
+From a56b0636b1bf9c7677c6fca9681f48752af700a1 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 17 May 2019 10:33:53 +0300
+Subject: [PATCH 2/2] lib-imap: Make sure str_unescape() won't be writing past
+ allocated memory
+
+The previous commit should already prevent this, but this makes sure it
+can't become broken in the future either. It makes the performance a tiny
+bit worse, but that's not practically noticeable.
+---
+ src/lib-imap/imap-parser.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
+index f41668d7a..7f58d99e2 100644
+--- a/src/lib-imap/imap-parser.c
++++ b/src/lib-imap/imap-parser.c
+@@ -267,10 +267,8 @@ static void imap_parser_save_arg(struct imap_parser *parser,
+
+ /* remove the escapes */
+ if (parser->str_first_escape >= 0 &&
+- (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) {
+- /* -1 because we skipped the '"' prefix */
+- (void)str_unescape(str + parser->str_first_escape-1);
+- }
++ (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0)
++ (void)str_unescape(str);
+ arg->_data.str = str;
+ arg->str_len = strlen(str);
+ break;
+--
+2.11.0
+
diff -Nru dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch
--- dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch 1970-01-01 01:00:00.000000000 +0100
+++ dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch 2019-08-29 20:23:16.000000000 +0200
@@ -0,0 +1,36 @@
+From 7ce9990a5e6ba59e89b7fe1c07f574279aed922c Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 10 May 2019 19:43:55 +0300
+Subject: [PATCH 1/2] lib-managesieve: Don't accept strings with NULs
+
+ManageSieve doesn't allow NULs in strings.
+
+This fixes a bug with unescaping a string with NULs: str_unescape() could
+have been called for memory that points outside the allocated string,
+causing heap corruption. This could cause crashes or theoretically even
+result in remote code execution exploit.
+
+Found by Nick Roessler and Rafi Rubin
+---
+ src/lib-managesieve/managesieve-parser.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/pigeonhole/src/lib-managesieve/managesieve-parser.c b/pigeonhole/src/lib-managesieve/managesieve-parser.c
+index d3eb2101..f5f9d323 100644
+--- a/pigeonhole/src/lib-managesieve/managesieve-parser.c
++++ b/pigeonhole/src/lib-managesieve/managesieve-parser.c
+@@ -258,6 +258,11 @@ managesieve_parser_read_string(struct managesieve_parser *parser,
+ break;
+ }
+
++ if (data[i] == '\0') {
++ parser->error = "NULs not allowed in strings";
++ return FALSE;
++ }
++
+ if (data[i] == '\\') {
+ if (i+1 == data_size) {
+ /* known data ends with '\' - leave it to
+--
+2.11.0
+
diff -Nru dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch
--- dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch 1970-01-01 01:00:00.000000000 +0100
+++ dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch 2019-08-29 20:23:16.000000000 +0200
@@ -0,0 +1,33 @@
+From 4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 17 May 2019 10:39:25 +0300
+Subject: [PATCH 2/2] lib-managesieve: Make sure str_unescape() won't be
+ writing past allocated memory
+
+The previous commit should already prevent this, but this makes sure it
+can't become broken in the future either. It makes the performance a tiny
+bit worse, but that's not practically noticeable.
+---
+ src/lib-managesieve/managesieve-parser.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/pigeonhole/src/lib-managesieve/managesieve-parser.c b/pigeonhole/src/lib-managesieve/managesieve-parser.c
+index f5f9d323..dc7d1fa9 100644
+--- a/pigeonhole/src/lib-managesieve/managesieve-parser.c
++++ b/pigeonhole/src/lib-managesieve/managesieve-parser.c
+@@ -169,10 +169,8 @@ static void managesieve_parser_save_arg(struct managesieve_parser *parser,
+
+ /* remove the escapes */
+ if (parser->str_first_escape >= 0 &&
+- (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) {
+- /* -1 because we skipped the '"' prefix */
+- str_unescape(str + parser->str_first_escape-1);
+- }
++ (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0)
++ (void)str_unescape(str);
+
+ arg->_data.str = str;
+ arg->str_len = strlen(str);
+--
+2.11.0
+
diff -Nru dovecot-2.2.13/debian/patches/series dovecot-2.2.13/debian/patches/series
--- dovecot-2.2.13/debian/patches/series 2019-03-29 12:38:40.000000000 +0100
+++ dovecot-2.2.13/debian/patches/series 2019-08-29 20:23:16.000000000 +0200
@@ -19,3 +19,7 @@
0004-Fix-CVE-2017-15132-memory-leak-on-aborted-SASL-auth.patch
CVE-2019-3814.patch
CVE-2019-7524.patch
+lib-imap-Don-t-accept-strings-with-NULs.patch
+lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch
+lib-managesieve-Don-t-accept-strings-with-NULs.patch
+lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch
Attachment:
pgpGnvNOC166M.pgp
Description: Digitale PGP-Signatur