Bug#1129952: dovecot-core: segfault when group ACLs are present but the user has no groups

Fri, 06 Mar 2026 05:51:16 -0800 

Package: dovecot-core
Version: 1:2.4.1+dfsg1-6+deb13u2
Severity: normal

Dear Maintainer,
the current version of dovecot in trixie segfaults when group ACLs are present but a user is not member of any groups. The segfault happens when dovecot receives new mail via LMTP and also for doveadm commands that access the mailbox (like doveadm mailbox list -u <user>).
This issue has been fixed upstream in commit 003bf9a [0]. Could you consider backporting this fix to trixie? 

Regards
René Richter
[0]: https://github.com/dovecot/core/commit/003bf9a6959714e0f696f0015c8c712e89962b9b 

-- Package-specific info:

dovecot conf.d/90-acl.conf
--------------------------
acl_driver = vfile
acl_cache_ttl = 5min
acl_defaults_from_inbox = yes

namespace inbox {
  mailbox * {
    acl group-override=readonly {
      rights = -wstipekxa
    }
  }
}


-- System Information:
Debian Release: 13.3
  APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') 
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.73+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dovecot-core depends on:
ii  adduser              3.152
ii  dovecot-sieve        1:2.4.1+dfsg1-6+deb13u2
ii  init-system-helpers  1.69~deb13u1
ii  libapparmor1         4.1.0-1
ii  libbz2-1.0           1.0.8-6
ii  libc6                2.41-12+deb13u1
ii  libcap2              1:2.75-10+b3
ii  libcrypt1            1:4.4.38-1
ii  libexttextcat-2.0-0  3.4.7-1+b1
ii  libicu76             76.1-4
ii  liblua5.4-0          5.4.7-1+b2
ii  liblz4-1             1.10.0-4
ii  libpam-runtime       1.7.0-5
ii  libpam0g             1.7.0-5
ii  libsodium23          1.0.18-1+deb13u1
ii  libssl3t64           3.5.4-1~deb13u2
ii  libstemmer0d         2.2.0-4+b2
ii  libsystemd0          257.9-1~deb13u1
ii  libtirpc3t64         1.3.6+ds-1
ii  libunwind8           1.8.1-0.1
ii  libzstd1             1.5.7+dfsg-1
ii  openssl              3.5.4-1~deb13u2
ii  ssl-cert             1.1.3
ii  ucf                  3.0052
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

dovecot-core recommends no packages.

Versions of packages dovecot-core suggests:
pn  dovecot-flatcurve     <none>
pn  dovecot-gssapi        <none>
ii  dovecot-imapd         1:2.4.1+dfsg1-6+deb13u2
pn  dovecot-ldap          <none>
ii  dovecot-lmtpd         1:2.4.1+dfsg1-6+deb13u2
ii  dovecot-managesieved  1:2.4.1+dfsg1-6+deb13u2
pn  dovecot-mysql         <none>
pn  dovecot-pgsql         <none>
pn  dovecot-pop3d         <none>
pn  dovecot-solr          <none>
pn  dovecot-sqlite        <none>
pn  dovecot-submissiond   <none>
pn  ntp                   <none>

Versions of packages dovecot-core is related to:
ii  dovecot-core [dovecot-common]  1:2.4.1+dfsg1-6+deb13u2
pn  dovecot-dev                    <none>
pn  dovecot-gssapi                 <none>
ii  dovecot-imapd                  1:2.4.1+dfsg1-6+deb13u2
pn  dovecot-ldap                   <none>
ii  dovecot-lmtpd                  1:2.4.1+dfsg1-6+deb13u2
ii  dovecot-managesieved           1:2.4.1+dfsg1-6+deb13u2
pn  dovecot-mysql                  <none>
pn  dovecot-pgsql                  <none>
pn  dovecot-pop3d                  <none>
ii  dovecot-sieve                  1:2.4.1+dfsg1-6+deb13u2
pn  dovecot-sqlite                 <none>

-- no debconf information

Reply via email to