Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
I'd like to update the dovecot IMAP suite in buster to address bug #970386. This bug involves a server crash that's triggered when issuing a server-side full-text search against a mailbox containing messages with certain malformed MIME components. The fix cherry-picked cleanly from upstream and I have confirmed that it addresses the issue. Thanks noah
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog --- dovecot-2.3.4.1/debian/changelog 2020-12-28 15:18:55.000000000 -0800 +++ dovecot-2.3.4.1/debian/changelog 2021-01-27 16:35:17.000000000 -0800 @@ -1,3 +1,10 @@ +dovecot (1:2.3.4.1-5+deb10u6) buster; urgency=medium + + * Backport upstream fix for crash that occurred when searching mailboxes + containing malformed MIME messages. (Closes: #970386) + + -- Noah Meyerhans <[email protected]> Wed, 27 Jan 2021 16:35:17 -0800 + dovecot (1:2.3.4.1-5+deb10u5) buster-security; urgency=high * Import upstream fix for security issues: diff -Nru dovecot-2.3.4.1/debian/patches/bug970386.patch dovecot-2.3.4.1/debian/patches/bug970386.patch --- dovecot-2.3.4.1/debian/patches/bug970386.patch 1969-12-31 16:00:00.000000000 -0800 +++ dovecot-2.3.4.1/debian/patches/bug970386.patch 2021-01-27 16:35:17.000000000 -0800 @@ -0,0 +1,90 @@ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970386 +From: Timo Sirainen <[email protected]> +Date: Mon, 31 Aug 2020 20:38:42 +0300 +Subject: [PATCH] lib-mail: message_parser_init_from_parts() - Fix crash if + MIME boundaries don't end + +If the last "boundary--" doens't exist, the parsing assert-crashed at +deinit. This mainly happened when searching mails. + +Fixes: +Panic: file message-parser.c: line 175 (message_part_finish): assertion failed: (ctx->nested_parts_count > 0) +--- + src/lib-mail/message-parser.c | 13 ++++++++----- + src/lib-mail/test-message-parser.c | 21 ++++++++++++++++++++- + 2 files changed, 28 insertions(+), 6 deletions(-) + +Index: dovecot/src/lib-mail/message-parser.c +=================================================================== +--- dovecot.orig/src/lib-mail/message-parser.c ++++ dovecot/src/lib-mail/message-parser.c +@@ -138,6 +138,7 @@ message_part_append(struct message_parse + struct message_part *parent = ctx->part; + struct message_part *part; + ++ i_assert(!ctx->preparsed); + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | + MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0); +@@ -171,12 +172,14 @@ static void message_part_finish(struct m + { + struct message_part **const *parent_next_partp; + +- i_assert(ctx->nested_parts_count > 0); +- ctx->nested_parts_count--; +- +- parent_next_partp = array_back(&ctx->next_part_stack); +- array_pop_back(&ctx->next_part_stack); +- ctx->next_part = *parent_next_partp; ++ if (!ctx->preparsed) { ++ i_assert(ctx->nested_parts_count > 0); ++ ctx->nested_parts_count--; ++ ++ parent_next_partp = array_back(&ctx->next_part_stack); ++ array_pop_back(&ctx->next_part_stack); ++ ctx->next_part = *parent_next_partp; ++ } + + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); +Index: dovecot/src/lib-mail/test-message-parser.c +=================================================================== +--- dovecot.orig/src/lib-mail/test-message-parser.c ++++ dovecot/src/lib-mail/test-message-parser.c +@@ -180,9 +180,10 @@ static void test_message_parser_small_bl + static void test_message_parser_stop_early(void) + { + struct message_parser_ctx *parser; +- struct istream *input; ++ struct istream *input, *input2; + struct message_part *parts; + struct message_block block; ++ const char *error; + unsigned int i; + pool_t pool; + int ret; +@@ -200,6 +201,24 @@ static void test_message_parser_stop_ear + &block)) > 0) ; + test_assert(ret == 0); + message_parser_deinit(&parser, &parts); ++ ++ /* test preparsed - first re-parse everything with a stream ++ that sees EOF at this position */ ++ input2 = i_stream_create_from_data(test_msg, i); ++ parser = message_parser_init(pool, input2, &set_empty); ++ while ((ret = message_parser_parse_next_block(parser, ++ &block)) > 0) ; ++ test_assert(ret == -1); ++ message_parser_deinit(&parser, &parts); ++ ++ /* now parse from the parts */ ++ i_stream_seek(input2, 0); ++ parser = message_parser_init_from_parts(parts, input2, &set_empty); ++ while ((ret = message_parser_parse_next_block(parser, ++ &block)) > 0) ; ++ test_assert(ret == -1); ++ test_assert(message_parser_deinit_from_parts(&parser, &parts, &error) == 0); ++ i_stream_unref(&input2); + } + + i_stream_unref(&input); diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series --- dovecot-2.3.4.1/debian/patches/series 2020-12-28 15:18:55.000000000 -0800 +++ dovecot-2.3.4.1/debian/patches/series 2021-01-27 16:35:17.000000000 -0800 @@ -56,4 +56,5 @@ CVE-2020-24386/0002-imap-Add-unit-test-for-imap-client-hibernate.patch CVE-2020-25275/0001-lib-mail-message-parser-Fix-assert-crash-when-enforc.patch CVE-2020-25275/0002-lib-imap-Don-t-generate-invalid-BODYSTRUCTURE-when-r.patch +bug970386.patch debian-changes
