Open-Xchange: Pre-auth Denial-of-Service in Dovecot RPA implementation

Hi, Dovecot security team. I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in RPA implementation. In the mech-rpa.c, the function rpareadbuffer doesn't check that the length could be zero, and pas...

Open-Xchange: Pre-auth buffer over-read in Dovecot NTLM implementation

Hi, Dovecot security team. I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in NTLM implementation. The structure of NTLM field is defined in ntlm-types.h c struct ntlmsspbuffer uint16t length; /...

Open-Xchange: reading the stack data of the imap process

in dovecot / core in the imap-client-hibernate.c file in the imaphibernatehandshake function, lines 31..39 contain vulnerable code: cpp else if ret = readfd, buf, sizeofbuf-1 0 && bufret-1 == '\n' bufret-1 = '\0'; if versionstringverifybuf, "imap-hibernate", 1 return 0; ierror"%s sent invalid...