Debian Bug report logs - #695138
dovecot: CVE-2012-5620

Package: dovecot; Maintainer for dovecot is Dovecot Maintainers <jaldhar-dovecot@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 4 Dec 2012 15:09:02 UTC

Severity: grave

Tags: security

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#695138; Package dovecot. (Tue, 04 Dec 2012 15:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>. (Tue, 04 Dec 2012 15:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dovecot: CVE-2012-5620
Date: Tue, 04 Dec 2012 16:04:45 +0100
Package: dovecot
Severity: grave
Tags: security
Justification: user security hole

This entry from http://www.dovecot.org/list/dovecot-news/2012-November/000235.html
was assigned CVE-2012-5620:

>  imap: Fixed crash when SEARCH contained multiple KEYWORD parameters.

Fix:
http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843

The posting on oss-security claims 1.2 doesn't contain the affected code:
http://seclists.org/oss-sec/2012/q4/395

However, mail_search_keywords_merge() also exists in 1.2.15 from Squeeze, so
this needs further investigation or clarification from upstream.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#695138; Package dovecot. (Tue, 04 Dec 2012 16:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>. (Tue, 04 Dec 2012 16:21:03 GMT) Full text and rfc822 format available.

Message #10 received at 695138@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Timo Sirainen <tss@iki.fi>
Cc: 695138@bugs.debian.org
Subject: Re: Bug#695138: dovecot: CVE-2012-5620
Date: Tue, 4 Dec 2012 17:15:02 +0100
On Tue, Dec 04, 2012 at 05:59:37PM +0200, Timo Sirainen wrote:
> Not a security hole. A user can crash his/her own session. As bad as issuing a LOGOUT command. Completely pointless CVE.

Thanks for the clarification, I'll followup on the oss-security mailing
list to get the ID rejected.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#695138; Package dovecot. (Tue, 04 Dec 2012 16:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Sirainen <tss@iki.fi>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>. (Tue, 04 Dec 2012 16:30:05 GMT) Full text and rfc822 format available.

Message #15 received at 695138@bugs.debian.org (full text, mbox):

From: Timo Sirainen <tss@iki.fi>
To: Moritz Muehlenhoff <jmm@inutil.org>, 695138@bugs.debian.org
Subject: Re: Bug#695138: dovecot: CVE-2012-5620
Date: Tue, 4 Dec 2012 17:59:37 +0200
Not a security hole. A user can crash his/her own session. As bad as issuing a LOGOUT command. Completely pointless CVE.

On 4.12.2012, at 17.04, Moritz Muehlenhoff wrote:

> Package: dovecot
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> This entry from http://www.dovecot.org/list/dovecot-news/2012-November/000235.html
> was assigned CVE-2012-5620:
> 
>> imap: Fixed crash when SEARCH contained multiple KEYWORD parameters.
> 
> Fix:
> http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843
> 
> The posting on oss-security claims 1.2 doesn't contain the affected code:
> http://seclists.org/oss-sec/2012/q4/395
> 
> However, mail_search_keywords_merge() also exists in 1.2.15 from Squeeze, so
> this needs further investigation or clarification from upstream.
> 
> Cheers,
>        Moritz
> 




Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Wed, 12 Dec 2012 17:57:14 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 12 Dec 2012 17:57:14 GMT) Full text and rfc822 format available.

Message #20 received at 695138-done@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Timo Sirainen <tss@iki.fi>
Cc: 695138-done@bugs.debian.org
Subject: Re: Bug#695138: dovecot: CVE-2012-5620
Date: Wed, 12 Dec 2012 18:52:05 +0100
On Tue, Dec 04, 2012 at 05:59:37PM +0200, Timo Sirainen wrote:
> Not a security hole. A user can crash his/her own session. As bad as issuing a LOGOUT command. Completely pointless CVE.

Closing. This CVE ID will be rejected.

Cheers,
        Moritz



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 10 Jan 2013 07:27:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:06:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.