CVE-2017-2669
Description
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
14<2.2.29+ 1 more
- (no CPE)range: <2.2.29
- (no CPE)range: dovecot 2.2.29
- osv-coords12 versionspkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/dovecot&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/dovecot&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/dovecot&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/dovecot&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/dovecot&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2
< 2.2.29.1-11.1+ 11 more
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2.29.1-11.1
- (no CPE)range: < 2.2-3.1
- (no CPE)range: < 2.2-3.1
- (no CPE)range: < 2.2-3.1
- (no CPE)range: < 2.2-3.1
- (no CPE)range: < 2.2-3.1
Patches
Vulnerability mechanics
Root cause
"The 'dict' passdb and userdb improperly handled variable expansion for usernames, leading to excessive resource consumption."
Attack vector
An attacker can exploit this vulnerability by sending a specially crafted username during IMAP or POP3 authentication. This username contains malformed %variable fields that are processed by var_expand(). The expansion of these fields can lead to excessive memory or CPU usage, causing the authentication process to crash or hang [ref_id=1].
Affected code
The vulnerability exists in `src/auth/db-dict.c` within the `db_dict_iter_lookup_key_values` function. The patch specifically targets the logic related to variable expansion of keys used in the `dict` passdb and userdb lookups [ref_id=1].
What the fix does
The patch modifies the `db-dict.c` file to prevent double expansion of keys in the passdb dictionary during authentication. Specifically, it removes the `var_expand()` call for the path and directly appends the key, ensuring that the variable expansion does not occur excessively for crafted inputs [ref_id=1]. This change prevents the unbounded resource consumption that previously led to denial of service.
Preconditions
- configThe Dovecot server must be configured to use 'dict' passdb and userdb for authentication.
- networkThe attacker must be able to send authentication requests to the Dovecot server via IMAP or POP3.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.debian.org/security/2017/dsa-3828mitrevendor-advisoryx_refsource_DEBIAN
- www.openwall.com/lists/oss-security/2017/04/11/1mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/97536mitrevdb-entryx_refsource_BID
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- dovecot.org/pipermail/dovecot-news/2017-April/000341.htmlmitremailing-listx_refsource_MLIST
- github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patchmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.