Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 683732 (CVE-2019-10691)

Summary: <net-mail/dovecot- JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: eras, hanno
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve glsa+]
Package list:
Runtime testing required: ---

Comment 2 Hank Leininger 2019-04-18 16:49:12 UTC
FWIW bumping the existing dovecot- to dovecot- seems to work fine.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-18 21:52:36 UTC is not in tree yet.
Comment 4 Larry the Git Cow gentoo-dev 2019-04-19 06:34:57 UTC
The bug has been referenced in the following commit(s):

commit 3f2896be569c065349d7259299890ac5f70f8aeb
Author:     Eray Aslan <>
AuthorDate: 2019-04-19 06:34:35 +0000
Commit:     Eray Aslan <>
CommitDate: 2019-04-19 06:34:35 +0000

    net-mail/dovecot: security bump to
    Package-Manager: Portage-2.3.63, Repoman-2.3.12
    Signed-off-by: Eray Aslan <>

 net-mail/dovecot/Manifest               |   1 +
 net-mail/dovecot/dovecot- | 294 ++++++++++++++++++++++++++++++++
 2 files changed, 295 insertions(+)
Comment 5 Eray Aslan gentoo-dev 2019-04-19 06:38:30 UTC
Arches, please test and mark stable

TARGET KEYWORDS=alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sparc x86

Thank you
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-19 17:01:20 UTC
amd64 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 17:49:44 UTC
alpha stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 18:42:29 UTC
arm stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-04-24 21:33:56 UTC
x86 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-27 16:33:56 UTC
ia64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 07:46:22 UTC
ppc stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 13:11:20 UTC
ppc64 stable
Comment 13 Rolf Eike Beer archtester 2019-05-06 21:56:33 UTC
I'll do bug 684822 for hppa instead, so I guess this can be closed.
Comment 14 Thomas Deutschmann gentoo-dev Security 2019-08-31 14:38:54 UTC
Added to an existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-08-31 21:17:00 UTC
This issue was resolved and addressed in
 GLSA 201908-29 at
by GLSA coordinator Thomas Deutschmann (whissi).