Arch Linux alert ASA-201908-19 (pigeonhole)

From:
             
 
Jelle van der Waa <jelle@archlinux.org> 
To:
             
 
arch-security@archlinux.org 
Subject:
             
 
[ASA-201908-19] pigeonhole: arbitrary code execution 
Date:
             
 
Thu, 29 Aug 2019 20:27:00 +0200
Message-ID:
             
 
<20190829182700.sc23q3lkkc4dralf@mail.archlinux.org>
Arch Linux Security Advisory ASA-201908-19
==========================================

Severity: Critical
Date    : 2019-08-28
CVE-ID  : CVE-2019-11500
Package : pigeonhole
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1027

Summary
=======

The package pigeonhole before version 0.5.7.2-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 0.5.7.2-1.

# pacman -Syu "pigeonhole>=0.5.7.2-1"

The problem has been fixed upstream in version 0.5.7.2.

Workaround
==========

None.

Description
===========

IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and
Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning
data in quoted strings, leading to out of bounds heap memory writes.

Impact
======

A remote, unauthenticated attacker can access sensitive information or
execute arbitrary code on the affected host via a crafted ManageSieve
command.

References
==========

https://dovecot.org/pipermail/dovecot-news/2019-August/00...
https://dovecot.org/pipermail/dovecot-news/2019-August/00...
https://github.com/dovecot/core/commit/85fcb895ca7f0bcb8e...
https://github.com/dovecot/core/commit/f904cbdfec25582bc5...
https://github.com/dovecot/pigeonhole/commit/7ce9990a5e6b...
https://github.com/dovecot/pigeonhole/commit/4a299840cdb5...
https://security.archlinux.org/CVE-2019-11500