CVE-2020-7957

Vulnerability

Dovecot versions 2.3.9 before 2.3.9.3 contain an improper input validation flaw in the IMAP and LMTP components [1][2]. When the snippet generation process attempts to compute a snippet for a message that is large enough to cause the message parser to return multiple body blocks, the first block(s) do not contain the full snippet (e.g., they are full of whitespace), and the input ends with a trailing > character, the parser mishandles the operation and crashes [1][2]. This occurs because the code does not correctly handle the scenario where many characters must be read to compute the snippet and a trailing > is present.

Exploitation

An attacker with the ability to send email to a Dovecot server (no authentication or special privileges required beyond normal email delivery) can craft a malicious message meeting the specific conditions: large enough to generate multiple body blocks, initial blocks lacking snippet content (e.g., whitespace), and ending with a > character. The attacker does not need direct network access to the IMAP or LMTP service beyond being able to deliver the email. Upon the receiving server processing the message for snippet generation (e.g., when an IMAP client tries to list message snippets or during LMTP delivery), the crash occurs, making the affected mailbox contents permanently inaccessible or causing the message to get stuck during delivery [2].

Impact

Successful exploitation results in a denial of service (CIA impact: availability only, CVSS 3.1 base score 3.1 [1][2]). The recipient cannot read all of their messages because the mailbox becomes permanently inaccessible, or the mail becomes stuck in delivery [1][2]. No data is disclosed, modified, or compromised beyond availability.

Mitigation

The issue is fixed in Dovecot 2.3.9.3, released on 2020-02-12 [1][2]. Users must upgrade to this version or later. No workarounds other than upgrading are documented. Fedora package announcements indicate updates are available for affected distributions [3][4].