On 2. Sep 2024, at 15.44, Guilhem Moulin via dovecot <dovecot@dovecot.org> wrote: > > Hi Aki, > >> we are releasing a CVE patch release 2.3.21.1. > > Your message to the oss-security list [0] says both 2.2 and 2.3 versions > are vulnerable to CVE-2024-23184. Using the following test message as > reproducer > > From: f...@example.net > To: b...@example.net > , b...@example.net > […] > , bar$n...@example.net > Bcc: b...@example.net > […] > Bcc: baz$n...@example.net > Date: $(LC_TIME=C.UTF-8 date -R) > Subject: boom > Message-Id: $(cat /proc/sys/kernel/random/uuid)@example.net > > boom > > I could reproduce the issue back to 2.3.10 but not with earlier > versions. I used `doveadm fetch imap.envelope all` to measure the > (non-cached) IMAP ENVELOPE command. > > For n=100k, it takes ~20s with 2.3.19 vs. ~0.5s with early 2.3.x and > 2.2.x. For n=500k, I measured ~2s with early 2.3.x and 2.2.x, so for > these versions it doesn't look like parsing is O(n²) in the number of > addresses. > > I didn't try to bisect to pinpoint the exact commit, but AFAICT the main > problem you described > > | each header line's address is added to the end of a linked list. This > | is done by walking the whole linked list, which becomes more inefficient > | the more addresses there are. > > was introduced in 2.3.10 by > https://github.com/dovecot/core/commit/469fcd3bdd7df40bb8f4d131121f3bfbceade02a > . > > Is my reproducer/analysis incorrect, or are versions before 2.3.10 > immune to CVE-2024-23184? (AFAICT they are affected by CVE-2024-23185; > only talking about -23184 here.)
Yes, looks like this is all correct. I guess we didn't really verify the oldest version this affects. _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org