From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 2 Mar 2026 12:40:57 +0000 (+0200)
Subject: [PATCH 2/2] managesieve-login: Verify AUTHENTICATE initial response size isn't too... 
X-Git-Tag: archive/raspbian/1%2.4.1+dfsg1-6+rpi1+deb13u4^2~2
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/%22mailto:mocancezar%40gmail.com//%22mailto:i18n-csb%40linuxcsb.org/%22/%22http:/www.example.com/%22mailto:mocancezar%40gmail.com/%22mailto:i18n-csb%40linuxcsb.org/%22?a=commitdiff_plain;h=c38e9af194c3ab98963b08032ee0033a53990072;p=dovecot.git

[PATCH 2/2] managesieve-login: Verify AUTHENTICATE initial response size isn't too large

This prevents DoSing the managesieve-login by sending an excessively large
initial response size, which causes a huge memory allocation.

Gbp-Pq: Name CVE-2026-27858.patch
---

diff --git a/pigeonhole/src/managesieve-login/client-authenticate.c b/pigeonhole/src/managesieve-login/client-authenticate.c
index 822dae6..5aeccd3 100644
--- a/pigeonhole/src/managesieve-login/client-authenticate.c
+++ b/pigeonhole/src/managesieve-login/client-authenticate.c
@@ -196,6 +196,11 @@ managesieve_client_auth_read_response(struct managesieve_client *msieve_client,
 		if (i_stream_get_size(msieve_client->auth_response_input,
 				      FALSE, &resp_size) <= 0)
 			resp_size = 0;
+		else if (resp_size > LOGIN_MAX_AUTH_BUF_SIZE) {
+			client_destroy(client,
+				       "Authentication response too large");
+			return -1;
+		}
 
 		if (client->auth_response == NULL) {
 			client->auth_response =