dovecot - Mar 2008 - 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11

I don't know how this happened.  I'm not sure if there is a coredump 
somewhere because
I don't know what user, and I have nothing for 'root' or
'dovecot'.  Any
advice, or should
I make all my coredumps go to a central writable directory so I have 
better chance of
catching it if it happens again?  Is it maybe from someone connecting to 
postfix and causing
a SMTP-AUTH to timeout?  Although that is unlikely because users should 
not know how to
reach this server's SMTP ports. I cut most of the surrounding log 
entries below because they
seemed unrelated normal activity, but two of the lines below I left 
because of the timestamp.

socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 384
      user: postfix
      group: postfix


Mar  8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had
missing parameters   
Mar  8 17:03:47 boomhauer dovecot: auth-worker(default): BUG: PASSV had
missing parameters
Mar  8 17:05:17 boomhauer dovecot: imap-login: Disconnected: Inactivity:
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar  8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
Mar  8 17:06:47 boomhauer dovecot: imap-login: Disconnected: Inactivity:
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar  8 17:06:47 boomhauer dovecot: child 72857 (login) killed with signal 11

On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote:
> Mar  8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had
> missing parameters   
Thanks, I kept trying to figure out what caused this and then started
wondering about password escaping and found the security hole. I still
hadn't figured out what caused this though, until I realized that
passwords can have linefeeds as well which can cause this.
> Mar  8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal
11
This still shouldn't happen though. I didn't try to reproduce this yet.

It's anyway quite difficult to get core dumps out of login processes.
I'm not sure if FreeBSD lets you do that in some special way, but there
are at least two things in the way:

1. Kernel thinks it's a setuid program, and setuid programs don't core
dump.

2. It's chrooted to a non-writable directory.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080309/c2e56385/attachment-0002.bin>

Timo Sirainen wrote:
> On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote:
>
>   
>> Mar  8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had
>> missing parameters   
>>     
>
> Thanks, I kept trying to figure out what caused this and then started
> wondering about password escaping and found the security hole. I still
> hadn't figured out what caused this though, until I realized that
> passwords can have linefeeds as well which can cause this.
>
>   
>> Mar  8 17:05:17 boomhauer dovecot: child 72819 (login) killed with
signal 11
>>     
>
> This still shouldn't happen though. I didn't try to reproduce this
yet.
>
> It's anyway quite difficult to get core dumps out of login processes.
> I'm not sure if FreeBSD lets you do that in some special way, but there
> are at least two things in the way:
>
> 1. Kernel thinks it's a setuid program, and setuid programs don't
core
> dump.
>
> 2. It's chrooted to a non-writable directory.
>
>   
1. I could enable this:
# sysctl -d kern.sugid_coredump
kern.sugid_coredump: Enable coredumping set user/group ID processes


2. And add an absolute path infront of this that is world writable:
# sysctl kern.corefile
kern.corefile: %N.%P.boomhauer.core


Can you think of a way that I could force the issue to be reproduced
so I can get away with making these changes on less servers?