ArchLinux: 201904-9: dovecot: denial of service
Summary
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences.
Resolution
Upgrade to 2.3.5.2-1.
# pacman -Syu "dovecot>=2.3.5.2-1"
The problem has been fixed upstream in version 2.3.5.2.
References
https://wiki.dovecot.org/wiki-closed/index.html https://security.archlinux.org/CVE-2019-10691
Workaround
None.