Bug 1782785 (CVE-2019-19722) - CVE-2019-19722 dovecot: null pointer dereference in push notification driver
Summary: CVE-2019-19722 dovecot: null pointer dereference in push notification driver
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-19722
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1783256
Blocks: 1782787
TreeView+ depends on / blocked
 
Reported: 2019-12-12 10:38 UTC by Dhananjay Arunesh
Modified: 2021-02-16 20:52 UTC (History)
6 users (show)

Fixed In Version: dovecot 2.3.9.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-16 13:30:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-12-12 10:38:17 UTC 
A vulnerability was found in dovecot before version 2.3.9.1 where mail with group address as sender will cause a signal 11 crash in push notification drivers. Group address as recipient can cause crash in some drivers.
Comment 1 Dhananjay Arunesh 2019-12-12 10:41:50 UTC 
Reference:
https://github.com/dovecot/core/compare/393a8cabf4dad893bf2ec60bf96cfde7a0c58432%5E..1307766b6f5d97341a47376657d342bcefd10f1b.patch
Comment 2 msiddiqu 2019-12-13 13:02:15 UTC 
References: 
  
https://dovecot.org/pipermail/dovecot-news/2019-December/000426.html
https://dovecot.org/pipermail/dovecot-news/2019-December/000425.html
https://dovecot.org/pipermail/dovecot-news/2019-December/000423.html
Comment 3 msiddiqu 2019-12-13 13:03:18 UTC 
Created dovecot tracking bugs for this issue:

Affects: fedora-all [bug 1783256]
Comment 4 Huzaifa S. Sidhpurwala 2020-01-16 13:29:32 UTC 
Statement:

The vulnerable functionality is not present in the versions of dovecot package in Red Hat Products therefore they are not affected by this flaw.
Note You need to log in before you can comment on or make changes to this bug.