CVE-2019-7524 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Privilege escalation
Description	A stack-based buffer overflow has been found in Dovecot versions prior to 2.3.5.1. When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-944	dovecot	2.3.5-2	2.3.5.1-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
28 Mar 2019	ASA-201903-16	AVG-944	dovecot	High	privilege escalation

References
https://seclists.org/oss-sec/2019/q1/197 https://dovecot.org/pipermail/dovecot/2019-March/115296.html https://github.com/dovecot/core/commit/79679674eb6d2c7d38f2537e613efc103058dff1 https://github.com/dovecot/core/commit/d79845350e0754f5e25c41bd56591ddd5b0a35fd

References

https://seclists.org/oss-sec/2019/q1/197
https://dovecot.org/pipermail/dovecot/2019-March/115296.html
https://github.com/dovecot/core/commit/79679674eb6d2c7d38f2537e613efc103058dff1
https://github.com/dovecot/core/commit/d79845350e0754f5e25c41bd56591ddd5b0a35fd