Aki Tuomi
2019-Mar-28 14:40 UTC
Mitigation / disable FTS and pop3-uidl plugin was Re: CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 16:37 Kevin A. McGrail via dovecot <
<a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 3/28/2019 7:42 AM, Aki Tuomi via dovecot wrote:
</div>
<blockquote type="cite">
<div>
olution:
</div>
<div>
Operators should update to the latest Patch Release. The only workaround
</div>
<div>
is to disable FTS and pop3-uidl plugin.
</div>
</blockquote>
<div>
Hi Aki, thanks for the CVE. For quick mitigation, can you confirm how
</div>
<div>
to disable these plugins and what they provide? We'd like to assess if
</div>
<div>
we are using them while we rollout the fix.
</div>
<div>
<br>
</div>
<div>
Regards,
</div>
<div>
<br>
</div>
<div>
KAM
</div>
</blockquote>
<div>
<br>
</div>
<div>
check for fts in mail_plugins. pop3-uidl is used by pop3_migration plugin.
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
Kevin A. McGrail
2019-Mar-28 14:44 UTC
Mitigation / disable FTS and pop3-uidl plugin was Re: CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
On 3/28/2019 10:40 AM, Aki Tuomi wrote:> > check for fts in mail_plugins. pop3-uidl is used by pop3_migration > plugin.Sorry if I'm dense but can you be more specific?? Are you talking about checking conf files or binary files?? For example, does the existence of /usr/local/lib/dovecot/lib20_fts_plugin.so imply an exploitable situation?? Are their settings in a conf file that disable those plugins?? Regards, KAM
Aki Tuomi
2019-Mar-28 14:55 UTC
Mitigation / disable FTS and pop3-uidl plugin was Re: CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 16:44 Kevin A. McGrail via dovecot <
<a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 3/28/2019 10:40 AM, Aki Tuomi wrote:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
check for fts in mail_plugins. pop3-uidl is used by pop3_migration
</div>
<div>
plugin.
</div>
</blockquote>
<div>
Sorry if I'm dense but can you be more specific? Are you talking about
</div>
<div>
checking conf files or binary files?
</div>
<div>
<br>
</div>
<div>
For example, does the existence of
</div>
<div>
/usr/local/lib/dovecot/lib20_fts_plugin.so imply an exploitable situation?
</div>
<div>
<br>
</div>
<div>
Are their settings in a conf file that disable those plugins?
</div>
<div>
<br>
</div>
<div>
Regards,
</div>
<div>
<br>
</div>
<div>
KAM
</div>
</blockquote>
<div>
<br>
</div>
<div>
Plugin needs to be explicitly loaded in configuration.
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
Apparently Analagous Threads
- Mitigation / disable FTS and pop3-uidl plugin was Re: CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
- Mitigation / disable FTS and pop3-uidl plugin was Re: CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
- CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
- CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
- dsync migration with preserving pop3 uidl