From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 8 Apr 2026 08:33:11 +0000 (+0300)
Subject: [PATCH] login-common: Only accept base64 in sasl
X-Git-Tag: archive/raspbian/1%2.4.1+dfsg1-6+rpi1+deb13u6^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=c7e5cef5b2981f7e872ee9d1f7c398376739e882;p=dovecot.git

[PATCH] login-common: Only accept base64 in sasl


Gbp-Pq: Name CVE-2026-33603.patch
---

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 2ad85ab..1858edf 100644
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -3,6 +3,7 @@
 #include "hostpid.h"
 #include "login-common.h"
 #include "array.h"
+#include "base64.h"
 #include "iostream.h"
 #include "istream.h"
 #include "ostream.h"
@@ -865,6 +866,14 @@ void client_auth_respond(struct client *client, const char *response)
 		return;
 	}
 
+	/* Only accept base64 */
+	for (size_t i = 0; response[i] != '\0'; i++) {
+		if (!base64_is_valid_char(response[i]) && response[i] != '=') {
+			client_auth_fail(client, "Invalid base64 in response");
+			return;
+		}
+	}
+
 	client->auth_client_continue_pending = FALSE;
 	client_set_auth_waiting(client);
 	sasl_server_auth_continue(client, response);