On 2. Sep 2024, at 15.44, Guilhem Moulin via dovecot <dovecot@dovecot.org> 
wrote:
> 
> Hi Aki,
> 
>> we are releasing a CVE patch release 2.3.21.1.
> 
> Your message to the oss-security list [0] says both 2.2 and 2.3 versions
> are vulnerable to CVE-2024-23184.  Using the following test message as
> reproducer
> 
>    From: f...@example.net
>    To: b...@example.net
>      , b...@example.net
>      […]
>      , bar$n...@example.net
>    Bcc: b...@example.net
>    […]
>    Bcc: baz$n...@example.net
>    Date: $(LC_TIME=C.UTF-8 date -R)
>    Subject: boom
>    Message-Id: $(cat /proc/sys/kernel/random/uuid)@example.net
> 
>    boom
> 
> I could reproduce the issue back to 2.3.10 but not with earlier
> versions.  I used `doveadm fetch imap.envelope all` to measure the
> (non-cached) IMAP ENVELOPE command.
> 
> For n=100k, it takes ~20s with 2.3.19 vs. ~0.5s with early 2.3.x and
> 2.2.x.  For n=500k, I measured ~2s with early 2.3.x and 2.2.x, so for
> these versions it doesn't look like parsing is O(n²) in the number of
> addresses.
> 
> I didn't try to bisect to pinpoint the exact commit, but AFAICT the main
> problem you described
> 
> | each header line's address is added to the end of a linked list. This
> | is done by walking the whole linked list, which becomes more inefficient
> | the more addresses there are.
> 
> was introduced in 2.3.10 by
> https://github.com/dovecot/core/commit/469fcd3bdd7df40bb8f4d131121f3bfbceade02a
>  .
> 
> Is my reproducer/analysis incorrect, or are versions before 2.3.10
> immune to CVE-2024-23184?  (AFAICT they are affected by CVE-2024-23185;
> only talking about -23184 here.)

Yes, looks like this is all correct. I guess we didn't really verify the oldest 
version this affects.

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to