CVE-2024-23185

NameCVE-2024-23185
DescriptionVery large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3860-1, DSA-5752-1, ELA-1175-1
Debian Bugs1078877

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)jessie, jessie (lts)1:2.2.13-12~deb8u9vulnerable
stretch (security)1:2.2.27-3+deb9u7vulnerable
stretch (lts), stretch1:2.2.27-3+deb9u8fixed
buster, buster (lts)1:2.3.4.1-5+deb10u8fixed
buster (security)1:2.3.4.1-5+deb10u7vulnerable
bullseye1:2.3.13+dfsg1-2+deb11u1vulnerable
bullseye (security)1:2.3.13+dfsg1-2+deb11u2fixed
bookworm (security), bookworm1:2.3.19.1+dfsg1-2.1+deb12u1fixed
sid, trixie1:2.3.21.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsourcejessie(unfixed)end-of-life
dovecotsourcestretch1:2.2.27-3+deb9u8ELA-1175-1
dovecotsourcebuster1:2.3.4.1-5+deb10u8ELA-1175-1
dovecotsourcebullseye1:2.3.13+dfsg1-2+deb11u2DLA-3860-1
dovecotsourcebookworm1:2.3.19.1+dfsg1-2.1+deb12u1DSA-5752-1
dovecotsource(unstable)1:2.3.21.1+dfsg1-11078877

Notes

https://www.openwall.com/lists/oss-security/2024/08/15/4
Fixed by: https://github.com/dovecot/core/commit/f020e139c519121d9630a966310ea8e100ee33b7 (2.3.21.1)
Fixed by: https://github.com/dovecot/core/commit/ce88c33abc37e408592eff70aeefa28f803effb9 (2.3.21.1)

Search for package or bug name: Reporting problems