On 2018-03-26 22:40:38, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 1:2.1.7-7+deb7u2 of dovecot to:
>
> https://people.debian.org/~alteholz/packages/wheezy-lts/dovecot/
>
> It contains patches for CVE-2017-14461, CVE-2017-15130 and CVE-2017-15132.
>
> Please give it a try and tell me about any problems you met.
I do not have a production Dovecot environment running wheezy anymore.
I was able to reproduce CVE-2017-14461 in a Vagrant VM and can confirm
that issue is fixed by your test packages.
So consider this a working smoke test.
For what it's worth, I have crafted this reproducer from the advisory:
printf "From: attacker@nevermind\nSubject: test\nContent-Type:
message/rfc822\n\nFrom: aaaa@(\nFrom: a(aa\n" | /usr/lib/dovecot/dovecot-lda -d
vagrant
Before, it crashes, now it delivers.
Cheers!
A.
--
Nature hides her secret because of her essential loftiness, but not by
means of ruse.
- Albert Einstein
