Arch Linux Security Advisory ASA-201904-9
=========================================

Severity: Medium
Date    : 2019-04-18
CVE-ID  : CVE-2019-10691
Package : dovecot
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-950

Summary
=======

The package dovecot before version 2.3.5.2-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.3.5.2-1.

# pacman -Syu "dovecot>=2.3.5.2-1"

The problem has been fixed upstream in version 2.3.5.2.

Workaround
==========

None.

Description
===========

JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two
ways. Attacker can repeatedly crash Dovecot authentication process by
logging in using invalid UTF-8 sequence in username. This requires that
auth policy is enabled. Crash can also occur if OX push notification
driver is enabled and an email is delivered with invalid UTF-8 sequence
in From or Subject header. In 2.2, malformed UTF-8 sequences are
forwarded "as-is", and thus do not cause problems in Dovecot itself.
Target systems should be checked for possible problems in dealing with
such sequences.

Impact
======

An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.

References
==========

https://wiki.dovecot.org/Authentication/Policy
https://security.archlinux.org/CVE-2019-10691