Arch Linux Security Advisory ASA-201904-9

Severity: Medium
Date : 2019-04-18
CVE-ID : CVE-2019-10691
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-950

Summary

The package dovecot before version 2.3.5.2-1 is vulnerable to denial of
service.

Resolution

Upgrade to 2.3.5.2-1.

pacman -Syu “dovecot>=2.3.5.2-1”

The problem has been fixed upstream in version 2.3.5.2.

Workaround

None.

Description

JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two
ways. Attacker can repeatedly crash Dovecot authentication process by
logging in using invalid UTF-8 sequence in username. This requires that
auth policy is enabled. Crash can also occur if OX push notification
driver is enabled and an email is delivered with invalid UTF-8 sequence
in From or Subject header. In 2.2, malformed UTF-8 sequences are
forwarded “as-is”, and thus do not cause problems in Dovecot itself.
Target systems should be checked for possible problems in dealing with
such sequences.

Impact

An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.

References

https://wiki.dovecot.org/Authentication/Policy
https://security.archlinux.org/CVE-2019-10691