<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">On 19 Jul 2019, at 17.52, Patrick Cernko via dovecot <<a href="mailto:dovecot@dovecot.org" class="">dovecot@dovecot.org</a>> wrote:<br class=""><div><blockquote type="cite" class=""><br class="Apple-interchange-newline"><div class=""><div class="">Hello list, hello Dovecot developers,<br class=""><br class="">this week, I discovered a serious bug in Dovecot, that lead to several broken mails on our servers. The bug corrupts the first few characters of the mail header during saving. On our setup, it was almost always only the very first line of text, that was corrupted.<br class=""></div></div></blockquote>..<br class=""><blockquote type="cite" class=""><div class=""><div class="">The bug occurs on very specific mails. Due to privacy reasons I could not provide sample mails here. Storing such mails seems to trigger the bug reproducible.<br class=""><br class=""><br class="">I attached a very minimal doveconf -n config, that can be used to trigger the bug. If one of the developers is interested, I can try to generate an "anonymized" version of such a specific mail that still causes the issue. I discovered the bug on our productive systems, running latest Dovecot 2.2 release, but the latest 2.3 I used during debugging is affected, too.<br class=""></div></div></blockquote><div><br class=""></div><div>Getting such a mail that would allow reproducing would be helpful. I can't seem to be able to reproduce this with stress testing.</div></div><br class=""><div class=""><a href="https://dovecot.org/tools/" class="">https://dovecot.org/tools/</a> has a couple of scripts that can obfuscate emails in a bit different ways. For example <a href="https://dovecot.org/tools/maildir-obfuscate.pl" class="">https://dovecot.org/tools/maildir-obfuscate.pl</a> might work.</div><div class=""><br class=""></div><div class="">I'm also wondering if Stephan's recent base64 code changes will fix this (everything is not merged yet).</div><div class=""><br class=""></div></body></html>