Hi Rainer, On Sa 31 Aug 2019 09:52:47 CEST, Rainer Dorsch wrote:
It almost looks to me that dovecot restarts itself (?) Aug 31 09:49:13 netcup systemd[1]: Stopping Dovecot IMAP/POP3 email server... Aug 31 09:49:13 netcup dovecot[12165]: anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) Aug 31 09:49:13 netcup dovecot[12165]: auth: Error: read(anvil-auth-penalty) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: auth: Error: net_connect_unix(anvil- auth-penalty) failed: Permission denied Aug 31 09:49:13 netcup dovecot[12165]: imap-login: Error: read(anvil) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: imap-login: Error: read(anvil) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: imap: Server shutting down. in=160 out=105576 Aug 31 09:49:13 netcup dovecot[12165]: imap: Server shutting down. in=141 out=1696 Aug 31 09:49:13 netcup systemd[1]: Stopped Dovecot IMAP/POP3 email server. Aug 31 09:49:13 netcup systemd[1]: Starting Dovecot IMAP/POP3 email server... Aug 31 09:49:13 netcup systemd[1]: Started Dovecot IMAP/POP3 email server.Aug 31 09:49:13 netcup dovecot[12180]: master: Dovecot v2.2.13 starting up forimap, sieve (core dumps disabled)
Can you check on /var/run/dovecot and see if those socket files [1] appear / do not appear (they might possibly come and go rapidly, so you need to be a trickster using the watch tool, maybe? Please also let me know what permissions these files have.
Could it be possible by any reason, that /var/run/dovecot is either read-only or out-of-space?
From what I can tell (I looked at the diff between ~deb8u6 and ~deb8u7 and your console output), your issue may be conincidental with the upgrade of the dovecot package in jessie LTS. I am not saying that it is, but it could be. So let's better checkout if something outside of dovecot might be causing this issue.
I have also attached the changes between ~deb8u6 and ~deb8u7 for review by yourself or others. I could not spot anything in the security patches applied that might cause such a severe issue as your report.
It would be interesting if downgrading dovecot back to ~deb8u6 [3] might get this system back into a usable state. If dovecot is the cause of your issue, it very probably will. If not, then something else is going on.
Greets, Mike [1] anvil, anvil-auth-penalty [2] dovecot_2.2.13-12~deb8u6_2.2.13-12~deb8u7.debdiff [3] http://snapshot.debian.org/package/dovecot/1%3A2.2.13-12%7Edeb8u6/#binpkgs -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru dovecot-2.2.13/debian/changelog dovecot-2.2.13/debian/changelog --- dovecot-2.2.13/debian/changelog 2019-03-29 12:38:40.000000000 +0100 +++ dovecot-2.2.13/debian/changelog 2019-08-29 20:23:16.000000000 +0200 @@ -1,3 +1,16 @@ +dovecot (1:2.2.13-12~deb8u7) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2019-11500 + - lib-imap: Don't accept strings with NULs + - lib-imap: Make sure str_unescape() won't be writing past allocated + memory + - lib-managesieve: Don't accept strings with NULs + - lib-managesieve: Make sure str_unescape() won't be writing past + allocated memory + + -- Roberto C. Sanchez <roberto@connexer.com> Thu, 29 Aug 2019 14:23:16 -0400 + dovecot (1:2.2.13-12~deb8u6) jessie-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch --- dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch 1970-01-01 01:00:00.000000000 +0100 +++ dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch 2019-08-29 20:23:16.000000000 +0200 @@ -0,0 +1,36 @@ +From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Fri, 10 May 2019 19:24:51 +0300 +Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs + +IMAP doesn't allow NULs except in binary literals. We'll still allow them +in regular literals as well, but just not in strings. + +This fixes a bug with unescaping a string with NULs: str_unescape() could +have been called for memory that points outside the allocated string, +causing heap corruption. This could cause crashes or theoretically even +result in remote code execution exploit. + +Found by Nick Roessler and Rafi Rubin +[Salvatore Bonaccorso: Backported to 2.2.27: Rename back error field to +parser->error, which was an upstream change around 2.3.0.rc1 with +468440fab1a1 ("lib-imap: imap-parser: Renamed error field to +error_msg.")] +--- + src/lib-imap/imap-parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -348,6 +348,11 @@ static int imap_parser_read_string(struc + break; + } + ++ if (data[i] == '\0') { ++ parser->error = "NULs not allowed in strings"; ++ return FALSE; ++ } ++ + if (data[i] == '\\') { + if (i+1 == data_size) { + /* known data ends with '\' - leave it to diff -Nru dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch --- dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch 1970-01-01 01:00:00.000000000 +0100 +++ dovecot-2.2.13/debian/patches/lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch 2019-08-29 20:23:16.000000000 +0200 @@ -0,0 +1,33 @@ +From a56b0636b1bf9c7677c6fca9681f48752af700a1 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Fri, 17 May 2019 10:33:53 +0300 +Subject: [PATCH 2/2] lib-imap: Make sure str_unescape() won't be writing past + allocated memory + +The previous commit should already prevent this, but this makes sure it +can't become broken in the future either. It makes the performance a tiny +bit worse, but that's not practically noticeable. +--- + src/lib-imap/imap-parser.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c +index f41668d7a..7f58d99e2 100644 +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -267,10 +267,8 @@ static void imap_parser_save_arg(struct imap_parser *parser, + + /* remove the escapes */ + if (parser->str_first_escape >= 0 && +- (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) { +- /* -1 because we skipped the '"' prefix */ +- (void)str_unescape(str + parser->str_first_escape-1); +- } ++ (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) ++ (void)str_unescape(str); + arg->_data.str = str; + arg->str_len = strlen(str); + break; +-- +2.11.0 + diff -Nru dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch --- dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch 1970-01-01 01:00:00.000000000 +0100 +++ dovecot-2.2.13/debian/patches/lib-managesieve-Don-t-accept-strings-with-NULs.patch 2019-08-29 20:23:16.000000000 +0200 @@ -0,0 +1,36 @@ +From 7ce9990a5e6ba59e89b7fe1c07f574279aed922c Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Fri, 10 May 2019 19:43:55 +0300 +Subject: [PATCH 1/2] lib-managesieve: Don't accept strings with NULs + +ManageSieve doesn't allow NULs in strings. + +This fixes a bug with unescaping a string with NULs: str_unescape() could +have been called for memory that points outside the allocated string, +causing heap corruption. This could cause crashes or theoretically even +result in remote code execution exploit. + +Found by Nick Roessler and Rafi Rubin +--- + src/lib-managesieve/managesieve-parser.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pigeonhole/src/lib-managesieve/managesieve-parser.c b/pigeonhole/src/lib-managesieve/managesieve-parser.c +index d3eb2101..f5f9d323 100644 +--- a/pigeonhole/src/lib-managesieve/managesieve-parser.c ++++ b/pigeonhole/src/lib-managesieve/managesieve-parser.c +@@ -258,6 +258,11 @@ managesieve_parser_read_string(struct managesieve_parser *parser, + break; + } + ++ if (data[i] == '\0') { ++ parser->error = "NULs not allowed in strings"; ++ return FALSE; ++ } ++ + if (data[i] == '\\') { + if (i+1 == data_size) { + /* known data ends with '\' - leave it to +-- +2.11.0 + diff -Nru dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch --- dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch 1970-01-01 01:00:00.000000000 +0100 +++ dovecot-2.2.13/debian/patches/lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch 2019-08-29 20:23:16.000000000 +0200 @@ -0,0 +1,33 @@ +From 4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Fri, 17 May 2019 10:39:25 +0300 +Subject: [PATCH 2/2] lib-managesieve: Make sure str_unescape() won't be + writing past allocated memory + +The previous commit should already prevent this, but this makes sure it +can't become broken in the future either. It makes the performance a tiny +bit worse, but that's not practically noticeable. +--- + src/lib-managesieve/managesieve-parser.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/pigeonhole/src/lib-managesieve/managesieve-parser.c b/pigeonhole/src/lib-managesieve/managesieve-parser.c +index f5f9d323..dc7d1fa9 100644 +--- a/pigeonhole/src/lib-managesieve/managesieve-parser.c ++++ b/pigeonhole/src/lib-managesieve/managesieve-parser.c +@@ -169,10 +169,8 @@ static void managesieve_parser_save_arg(struct managesieve_parser *parser, + + /* remove the escapes */ + if (parser->str_first_escape >= 0 && +- (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) { +- /* -1 because we skipped the '"' prefix */ +- str_unescape(str + parser->str_first_escape-1); +- } ++ (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) ++ (void)str_unescape(str); + + arg->_data.str = str; + arg->str_len = strlen(str); +-- +2.11.0 + diff -Nru dovecot-2.2.13/debian/patches/series dovecot-2.2.13/debian/patches/series --- dovecot-2.2.13/debian/patches/series 2019-03-29 12:38:40.000000000 +0100 +++ dovecot-2.2.13/debian/patches/series 2019-08-29 20:23:16.000000000 +0200 @@ -19,3 +19,7 @@ 0004-Fix-CVE-2017-15132-memory-leak-on-aborted-SASL-auth.patch CVE-2019-3814.patch CVE-2019-7524.patch +lib-imap-Don-t-accept-strings-with-NULs.patch +lib-imap-Make-sure-str_unescape-won-t-be-writing-pas.patch +lib-managesieve-Don-t-accept-strings-with-NULs.patch +lib-managesieve-Make-sure-str_unescape-won-t-be-writ.patch
Attachment:
pgpGnvNOC166M.pgp
Description: Digitale PGP-Signatur