[3.9] dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack (CVE-2019-10691)
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header.
Fixed In Version:
dovecot 2.3.5.2
References:
https://dovecot.org/list/dovecot-news/2019-April/000406.html
https://www.openwall.com/lists/oss-security/2019/04/18/3
Patch:
https://github.com/dovecot/core/commit/973769d74433de3c56c4ffdf4f343cb35d98e4f7
(from redmine: issue id 10313, created on 2019-04-22, closed on 2019-06-22)
- Relations:
- parent #10311 (closed)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information