Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683732 (CVE-2019-10691) - <net-mail/dovecot-2.3.5.2: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters
Summary: <net-mail/dovecot-2.3.5.2: JSON encoder in Dovecot 2.3 incorrecty assert-cras...
Status: RESOLVED FIXED
Alias: CVE-2019-10691
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://dovecot.org/list/dovecot-news...
Whiteboard: B3 [glsa+ cve glsa+]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-04-18 09:30 UTC by Tomáš Mózes
Modified: 2019-08-31 21:17 UTC (History)
2 users (show)

See Also:
Package list:
net-mail/dovecot-2.3.5.2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Hank Leininger 2019-04-18 16:49:12 UTC 
FWIW bumping the existing dovecot-2.3.5.1.ebuild to dovecot-2.3.5.2.ebuild seems to work fine.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-18 21:52:36 UTC 
2.3.5.2 is not in tree yet.
Comment 4 Larry the Git Cow gentoo-dev 2019-04-19 06:34:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f2896be569c065349d7259299890ac5f70f8aeb

commit 3f2896be569c065349d7259299890ac5f70f8aeb
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-04-19 06:34:35 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-04-19 06:34:35 +0000

    net-mail/dovecot: security bump to 2.3.5.2
    
    Bug: https://bugs.gentoo.org/683732
    Package-Manager: Portage-2.3.63, Repoman-2.3.12
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest               |   1 +
 net-mail/dovecot/dovecot-2.3.5.2.ebuild | 294 ++++++++++++++++++++++++++++++++
 2 files changed, 295 insertions(+)
Comment 5 Eray Aslan gentoo-dev 2019-04-19 06:38:30 UTC 
Arches, please test and mark stable
=net-mail/dovecot-2.3.5.2

TARGET KEYWORDS=alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sparc x86

Thank you
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2019-04-19 17:01:20 UTC 
amd64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 17:49:44 UTC 
alpha stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 18:42:29 UTC 
arm stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-24 21:33:56 UTC 
x86 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-27 16:33:56 UTC 
ia64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 07:46:22 UTC 
ppc stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 13:11:20 UTC 
ppc64 stable
Comment 13 Rolf Eike Beer archtester 2019-05-06 21:56:33 UTC 
I'll do bug 684822 for hppa instead, so I guess this can be closed.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-31 14:38:54 UTC 
Added to an existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-08-31 21:17:00 UTC 
This issue was resolved and addressed in
 GLSA 201908-29 at https://security.gentoo.org/glsa/201908-29
by GLSA coordinator Thomas Deutschmann (whissi).