Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
I'd like to fix two upstream regressions in the dovecot version in buster. These are documented in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930919 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928492 The changes are small and the relevant upstream commits apply cleanly. Both issues have been confirmed fixed in unstable and testing, as well as in the proposed buster updates. There's already a buster security upload queued for the next buster point release. The included debdiff is against that version, but I expect that the upload should include the .changes content since the latest one actually in the archive. Please confirm that. (That would be changelog entries for both 1:2.3.4.1-5+deb10u3 and 1:2.3.4.1-5+deb10u4.) noah
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog --- dovecot-2.3.4.1/debian/changelog 2020-08-10 18:03:03.000000000 -0700 +++ dovecot-2.3.4.1/debian/changelog 2020-08-26 13:54:40.000000000 -0700 @@ -1,5 +1,14 @@ +dovecot (1:2.3.4.1-5+deb10u4) buster; urgency=medium + + * Import upstream fix for dsync sieve filter sync regression + (Closes: #930919) + * userdb-passwd: Fix getpwent errno handling (Closes: #928492) + + -- Noah Meyerhans <[email protected]> Wed, 26 Aug 2020 13:54:40 -0700 + dovecot (1:2.3.4.1-5+deb10u3) buster-security; urgency=high + * Stable security update (Closes: #968302) * Fix CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. * CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check diff -Nru dovecot-2.3.4.1/debian/patches/bug928492.patch dovecot-2.3.4.1/debian/patches/bug928492.patch --- dovecot-2.3.4.1/debian/patches/bug928492.patch 1969-12-31 16:00:00.000000000 -0800 +++ dovecot-2.3.4.1/debian/patches/bug928492.patch 2020-08-26 13:54:40.000000000 -0700 @@ -0,0 +1,46 @@ +From 414a7db1d15e57433dfc222bd6bf253c83166408 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <[email protected]> +Date: Fri, 5 Oct 2018 10:18:35 +0300 +Subject: [PATCH] userdb-passwd: Fix getpwent errno handling + +In https://bugs.gentoo.org/667118 Reuben Farrelly +noticed that running + # doveadm user '*' +causes auth daemon to generate errors like: + auth-worker(3585): Error: getpwent() failed: Invalid argument + +This happens because on successful call getpwent() +now sets errno=EINVAL starting from glibc-2.28. +See https://sourceware.org/PR16004 for details. + +The fix is to reset 'errno' before 'getpwent()' is called. + +Reported-by: Reuben Farrelly +Bug: https://bugs.gentoo.org/667118 +Bug: https://sourceware.org/PR16004 +Original-Author: Sergei Trofimovich <[email protected]> +--- + src/auth/userdb-passwd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c +index ee8edf04ee..708762b84a 100644 +--- a/src/auth/userdb-passwd.c ++++ b/src/auth/userdb-passwd.c +@@ -172,12 +172,16 @@ static void passwd_iterate_next(struct userdb_iterate_context *_ctx) + return; + } + ++ /* reset errno since it might have been set when we got here */ + errno = 0; + while ((pw = getpwent()) != NULL) { + if (passwd_iterate_want_pw(pw, set)) { + _ctx->callback(pw->pw_name, _ctx->context); + return; + } ++ /* getpwent might set errno to something even if it ++ returns non-NULL. */ ++ errno = 0; + } + if (errno != 0) { + i_error("getpwent() failed: %m"); diff -Nru dovecot-2.3.4.1/debian/patches/debian-changes dovecot-2.3.4.1/debian/patches/debian-changes --- dovecot-2.3.4.1/debian/patches/debian-changes 2020-08-10 18:03:03.000000000 -0700 +++ dovecot-2.3.4.1/debian/patches/debian-changes 2020-08-26 13:54:40.000000000 -0700 @@ -93780,7 +93780,7 @@ +#endif --- /dev/null +++ dovecot-2.3.4.1/pigeonhole/src/plugins/doveadm-sieve/doveadm-sieve-sync.c -@@ -0,0 +1,747 @@ +@@ -0,0 +1,746 @@ +/* Copyright (c) 2002-2018 Pigeonhole authors, see the included COPYING file + */ + @@ -94390,8 +94390,7 @@ + siter->super = sbox->super.attribute_iter_init(box, type, prefix); + + if (box->storage->user->dsyncing && -+ type == MAIL_ATTRIBUTE_TYPE_PRIVATE && -+ str_begins(prefix, MAILBOX_ATTRIBUTE_PREFIX_SIEVE)) { ++ type == MAIL_ATTRIBUTE_TYPE_PRIVATE) { + if (sieve_attribute_iter_script_init(siter) < 0) + siter->failed = TRUE; + } diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series --- dovecot-2.3.4.1/debian/patches/series 2020-08-10 18:03:03.000000000 -0700 +++ dovecot-2.3.4.1/debian/patches/series 2020-08-26 13:54:40.000000000 -0700 @@ -51,4 +51,5 @@ CVE-2020-12100/0016-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch CVE-2020-12673.patch CVE-2020-12674/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch +bug928492.patch debian-changes
