On 9. May 2026, at 1.27, Alex Rosenberg via dovecot <[email protected]>
wrote:
Attached is an LLM-reduced reproduction of the crash in the title. My
particular setup is dovecot 2.3.21.1 (d492236fa0) in a FreeBSD jail
(13.5). I realize that this is an older release but there is no FreeBSD
port/pkg for dovecot 2.4.x yet.
The message in the attachment is reduced from an old (2017!) email to
one of the LLVM compiler mailing lists. The original malformed email had
this header:
X-Mailer: Evolution 3.22.5 (3.22.5-1.fc25)
The bug occurs when dovecot's FTS indexer processes a MIME part that:
1. Declares charset="UTF-7"
2. Contains base64-encoded content that, when decoded, has bare '+'
characters
3. Causes UTF-7 decoder buffer overflow in charset-iconv.c:83
The base64 content decodes to C source code with expressions like:
- argc + 4
- state++
- state--
These '+' characters in UTF-7 context cause the decoder's pending buffer
to exceed CHARSET_MAX_PENDING_BUF_SIZE, triggering the assertion
failure.
This should have been fixed in v2.4.3 with the commits:
[1]https://github.com/dovecot/core/commit/110c19e44e95be6b6d2b09cf994ce5b502c8dd8c
[2]https://github.com/dovecot/core/commit/3dced982a4f7dbcc8c11f15f566f4b2b4ff5d399
[3]https://github.com/dovecot/core/commit/db2add1b4058fd489905ea833ea31ceb4d550070
References
Visible links
1.
https://github.com/dovecot/core/commit/110c19e44e95be6b6d2b09cf994ce5b502c8dd8c
2.
https://github.com/dovecot/core/commit/3dced982a4f7dbcc8c11f15f566f4b2b4ff5d399
3.
https://github.com/dovecot/core/commit/db2add1b4058fd489905ea833ea31ceb4d550070
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
