Bug#1135875: marked as done (bookworm-pu: package dovecot/1:2.3.19.1+dfsg1-2.1+deb12u5)

Debian Bug Tracking System Sat, 16 May 2026 04:22:59 -0700

Your message dated Sat, 16 May 2026 11:07:42 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1135875,
regarding bookworm-pu: package dovecot/1:2.3.19.1+dfsg1-2.1+deb12u5
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1135875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135875
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:dovecot
User: [email protected]
Usertags: pu

Dovecot was updated in bookworm to fix several vulnerabilities with DSA
6197.  There are two issues with the backported fixes that need to be
addressed, but that weren't of a high enough severity to warrant another DSA
revision.  I'd like to correct these issues in the next bookworm point
release.

The issues corrected here are:

An incomplete backport of the CVE-2026-27855 patch from upstream failed to
wrap a call to set_credentials() with the appropriate event delimeters as
intended by upstream.  This was due to a refactor in the 2.4.x development
lifecycle moving this call to another file, and the person performing the
backport to 2.3.x didn't account for the refactor.

The second issue is a memory leak inadvertently introduced when backporting
the fix for CVE-2026-27857.  This is the same leak that needs fixing in
trixie (#1135871).  The solution is to remove the unnecessary
reinitialization of a pointer in src/imap-login/imap-login-cmd-id.c.  Fixing
this also required refreshing subsequent patches for the same vulnerability
due to contextual changes.

debdiff is attached.

noah

diff -Nru dovecot-2.3.19.1+dfsg1/debian/changelog 
dovecot-2.3.19.1+dfsg1/debian/changelog
--- dovecot-2.3.19.1+dfsg1/debian/changelog     2026-04-23 09:40:11.000000000 
-0400
+++ dovecot-2.3.19.1+dfsg1/debian/changelog     2026-05-06 16:09:12.000000000 
-0400
@@ -1,3 +1,10 @@
+dovecot (1:2.3.19.1+dfsg1-2.1+deb12u5) bookworm; urgency=medium
+
+  * [faff670] Correct incomplete backport of CVE-2026-27855 fix
+  * [0e4447b] Fix memory leak in CVE-2026-27857 fix
+
+ -- Noah Meyerhans <[email protected]>  Wed, 06 May 2026 16:09:12 -0400
+
 dovecot (1:2.3.19.1+dfsg1-2.1+deb12u4) bookworm-security; urgency=medium
 
   * [0669596] Add tests for bug 1134464 regression
diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch 
dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch
--- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch        
2026-04-23 09:40:11.000000000 -0400
+++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch        
2026-05-05 20:24:18.000000000 -0400
@@ -17,10 +17,10 @@
  src/auth/auth-worker-server.c | 2 ++
  2 files changed, 6 insertions(+)
 
-Index: dovecot/src/auth/auth-request.c
+Index: 2.3/src/auth/auth-request.c
 ===================================================================
---- dovecot.orig/src/auth/auth-request.c
-+++ dovecot/src/auth/auth-request.c
+--- 2.3.orig/src/auth/auth-request.c
++++ 2.3/src/auth/auth-request.c
 @@ -1341,6 +1341,8 @@ void auth_request_set_credentials(struct
        struct auth_passdb *passdb = request->passdb;
        const char *cache_key, *new_credentials;
@@ -39,3 +39,18 @@
  }
  
  static void auth_request_userdb_save_cache(struct auth_request *request,
+Index: 2.3/src/auth/auth-worker-client.c
+===================================================================
+--- 2.3.orig/src/auth/auth-worker-client.c
++++ 2.3/src/auth/auth-worker-client.c
+@@ -490,8 +490,10 @@ auth_worker_handle_setcred(struct auth_w
+               }
+       }
+ 
++      auth_request_passdb_event_begin(auth_request);
+       auth_request->passdb->passdb->iface.
+               set_credentials(auth_request, creds, set_credentials_callback);
++      auth_request_passdb_event_end(auth_request);
+       return TRUE;
+ }
+ 
diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch 
dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch
--- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch        
2026-04-23 09:40:11.000000000 -0400
+++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch        
2026-05-05 20:24:18.000000000 -0400
@@ -20,10 +20,10 @@
  src/plugins/virtual/virtual-config.c   |  2 +-
  13 files changed, 30 insertions(+), 19 deletions(-)
 
-Index: dovecot/src/imap-login/imap-login-client.c
+Index: 2.3/src/imap-login/imap-login-client.c
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-client.c
-+++ dovecot/src/imap-login/imap-login-client.c
+--- 2.3.orig/src/imap-login/imap-login-client.c
++++ 2.3/src/imap-login/imap-login-client.c
 @@ -379,7 +379,7 @@ static void imap_client_create(struct cl
        imap_client->parser =
                imap_parser_create(imap_client->common.input,
@@ -42,25 +42,24 @@
  
        /* CRLF is lost from buffer when streams are reopened. */
        imap_client->skip_line = FALSE;
-Index: dovecot/src/imap-login/imap-login-cmd-id.c
+Index: 2.3/src/imap-login/imap-login-cmd-id.c
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-cmd-id.c
-+++ dovecot/src/imap-login/imap-login-cmd-id.c
-@@ -237,7 +237,9 @@ int cmd_id(struct imap_client *client)
+--- 2.3.orig/src/imap-login/imap-login-cmd-id.c
++++ 2.3/src/imap-login/imap-login-cmd-id.c
+@@ -237,7 +237,8 @@ int cmd_id(struct imap_client *client)
                client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
                id->parser = imap_parser_create(client->common.input,
                                                client->common.output,
 -                                              IMAP_LOGIN_MAX_LINE_LENGTH);
 +                                              IMAP_LOGIN_MAX_LINE_LENGTH,
 +                                              NULL);
-+              id->log_reply = str_new(default_pool, 64);
                if (client->set->imap_literal_minus)
                        imap_parser_enable_literal_minus(id->parser);
                parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST;
-Index: dovecot/src/imap/cmd-append.c
+Index: 2.3/src/imap/cmd-append.c
 ===================================================================
---- dovecot.orig/src/imap/cmd-append.c
-+++ dovecot/src/imap/cmd-append.c
+--- 2.3.orig/src/imap/cmd-append.c
++++ 2.3/src/imap/cmd-append.c
 @@ -947,7 +947,8 @@ bool cmd_append(struct client_command_co
        o_stream_unset_flush_callback(client->output);
  
@@ -71,10 +70,10 @@
        if (client->set->imap_literal_minus)
                imap_parser_enable_literal_minus(ctx->save_parser);
  
-Index: dovecot/src/imap/cmd-setmetadata.c
+Index: 2.3/src/imap/cmd-setmetadata.c
 ===================================================================
---- dovecot.orig/src/imap/cmd-setmetadata.c
-+++ dovecot/src/imap/cmd-setmetadata.c
+--- 2.3.orig/src/imap/cmd-setmetadata.c
++++ 2.3/src/imap/cmd-setmetadata.c
 @@ -289,7 +289,8 @@ cmd_setmetadata_start(struct imap_setmet
           asynchronously the same way as APPEND does. */
        client->input_lock = cmd;
@@ -85,10 +84,10 @@
        if (client->set->imap_literal_minus)
                imap_parser_enable_literal_minus(ctx->parser);
        o_stream_unset_flush_callback(client->output);
-Index: dovecot/src/imap/imap-client.c
+Index: 2.3/src/imap/imap-client.c
 ===================================================================
---- dovecot.orig/src/imap/imap-client.c
-+++ dovecot/src/imap/imap-client.c
+--- 2.3.orig/src/imap/imap-client.c
++++ 2.3/src/imap/imap-client.c
 @@ -953,7 +953,8 @@ client_command_new(struct client *client
        } else {
                cmd->parser =
@@ -99,10 +98,10 @@
                if (client->set->imap_literal_minus)
                        imap_parser_enable_literal_minus(cmd->parser);
        }
-Index: dovecot/src/lib-imap-client/imapc-connection.c
+Index: 2.3/src/lib-imap-client/imapc-connection.c
 ===================================================================
---- dovecot.orig/src/lib-imap-client/imapc-connection.c
-+++ dovecot/src/lib-imap-client/imapc-connection.c
+--- 2.3.orig/src/lib-imap-client/imapc-connection.c
++++ 2.3/src/lib-imap-client/imapc-connection.c
 @@ -1822,7 +1822,8 @@ static void imapc_connection_connect_nex
        o_stream_set_flush_callback(conn->output, imapc_connection_connected,
                                    conn);
@@ -113,10 +112,10 @@
        conn->to = timeout_add(conn->client->set.connect_timeout_msecs,
                               imapc_connection_timeout, conn);
        conn->to_output = timeout_add(conn->client->set.max_idle_time*1000,
-Index: dovecot/src/lib-imap-storage/imap-msgpart.c
+Index: 2.3/src/lib-imap-storage/imap-msgpart.c
 ===================================================================
---- dovecot.orig/src/lib-imap-storage/imap-msgpart.c
-+++ dovecot/src/lib-imap-storage/imap-msgpart.c
+--- 2.3.orig/src/lib-imap-storage/imap-msgpart.c
++++ 2.3/src/lib-imap-storage/imap-msgpart.c
 @@ -148,7 +148,7 @@ imap_msgpart_get_header_fields(pool_t po
        int result = 0;
  
@@ -126,10 +125,10 @@
  
        if (imap_parser_finish_line(parser, 0, 0, &args) > 0 &&
            imap_arg_get_list_full(args, &hdr_list, &list_count) &&
-Index: dovecot/src/lib-imap/imap-bodystructure.c
+Index: 2.3/src/lib-imap/imap-bodystructure.c
 ===================================================================
---- dovecot.orig/src/lib-imap/imap-bodystructure.c
-+++ dovecot/src/lib-imap/imap-bodystructure.c
+--- 2.3.orig/src/lib-imap/imap-bodystructure.c
++++ 2.3/src/lib-imap/imap-bodystructure.c
 @@ -694,7 +694,7 @@ int imap_bodystructure_parse_full(const
        input = i_stream_create_from_data(bodystructure, strlen(bodystructure));
        (void)i_stream_read(input);
@@ -148,10 +147,10 @@
        ret = imap_parser_finish_line(parser, 0, IMAP_PARSE_FLAG_NO_UNESCAPE |
                                      IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
        if (ret < 0) {
-Index: dovecot/src/lib-imap/imap-envelope.c
+Index: 2.3/src/lib-imap/imap-envelope.c
 ===================================================================
---- dovecot.orig/src/lib-imap/imap-envelope.c
-+++ dovecot/src/lib-imap/imap-envelope.c
+--- 2.3.orig/src/lib-imap/imap-envelope.c
++++ 2.3/src/lib-imap/imap-envelope.c
 @@ -222,7 +222,7 @@ bool imap_envelope_parse(const char *env
        input = i_stream_create_from_data(envelope, strlen(envelope));
        (void)i_stream_read(input);
@@ -161,10 +160,10 @@
        ret = imap_parser_finish_line(parser, 0,
                                      IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
        if (ret < 0) {
-Index: dovecot/src/lib-imap/imap-parser.c
+Index: 2.3/src/lib-imap/imap-parser.c
 ===================================================================
---- dovecot.orig/src/lib-imap/imap-parser.c
-+++ dovecot/src/lib-imap/imap-parser.c
+--- 2.3.orig/src/lib-imap/imap-parser.c
++++ 2.3/src/lib-imap/imap-parser.c
 @@ -69,7 +69,8 @@ struct imap_parser {
  
  struct imap_parser *
@@ -175,10 +174,10 @@
  {
        struct imap_parser *parser;
  
-Index: dovecot/src/lib-imap/imap-parser.h
+Index: 2.3/src/lib-imap/imap-parser.h
 ===================================================================
---- dovecot.orig/src/lib-imap/imap-parser.h
-+++ dovecot/src/lib-imap/imap-parser.h
+--- 2.3.orig/src/lib-imap/imap-parser.h
++++ 2.3/src/lib-imap/imap-parser.h
 @@ -38,6 +38,9 @@ enum imap_parser_error {
        IMAP_PARSE_ERROR_LITERAL_TOO_BIG
  };
@@ -199,10 +198,10 @@
  void imap_parser_ref(struct imap_parser *parser);
  void imap_parser_unref(struct imap_parser **parser);
  
-Index: dovecot/src/lib-imap/test-imap-parser.c
+Index: 2.3/src/lib-imap/test-imap-parser.c
 ===================================================================
---- dovecot.orig/src/lib-imap/test-imap-parser.c
-+++ dovecot/src/lib-imap/test-imap-parser.c
+--- 2.3.orig/src/lib-imap/test-imap-parser.c
++++ 2.3/src/lib-imap/test-imap-parser.c
 @@ -16,7 +16,7 @@ static void test_imap_parser_crlf(void)
  
        test_begin("imap parser crlf handling");
@@ -239,10 +238,10 @@
                        ret = imap_parser_read_command_name(parser, &atom);
                        test_assert_idx(ret == tests[i].ret, i);
                        test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) 
== 0, i);
-Index: dovecot/src/plugins/virtual/virtual-config.c
+Index: 2.3/src/plugins/virtual/virtual-config.c
 ===================================================================
---- dovecot.orig/src/plugins/virtual/virtual-config.c
-+++ dovecot/src/plugins/virtual/virtual-config.c
+--- 2.3.orig/src/plugins/virtual/virtual-config.c
++++ 2.3/src/plugins/virtual/virtual-config.c
 @@ -54,7 +54,7 @@ virtual_search_args_parse(const string_t
        input = i_stream_create_from_data(str_data(rule), str_len(rule));
        (void)i_stream_read(input);
@@ -252,10 +251,10 @@
        ret = imap_parser_finish_line(imap_parser, 0,  0, &args);
        if (ret < 0) {
                sargs = NULL;
-Index: dovecot/src/lib-imap/imap-id.c
+Index: 2.3/src/lib-imap/imap-id.c
 ===================================================================
---- dovecot.orig/src/lib-imap/imap-id.c
-+++ dovecot/src/lib-imap/imap-id.c
+--- 2.3.orig/src/lib-imap/imap-id.c
++++ 2.3/src/lib-imap/imap-id.c
 @@ -111,7 +111,7 @@ const char *imap_id_reply_generate(const
        input = i_stream_create_from_data(settings, strlen(settings));
        (void)i_stream_read(input);
@@ -265,10 +264,10 @@
        if (imap_parser_finish_line(parser, 0, 0, &args) <= 0)
                ret = "NIL";
        else
-Index: dovecot/src/director/director-test.c
+Index: 2.3/src/director/director-test.c
 ===================================================================
---- dovecot.orig/src/director/director-test.c
-+++ dovecot/src/director/director-test.c
+--- 2.3.orig/src/director/director-test.c
++++ 2.3/src/director/director-test.c
 @@ -250,7 +250,7 @@ static void imap_client_create(int fd)
        o_stream_set_no_error_handling(client->output, TRUE);
        client->io = io_add(fd, IO_READ, imap_client_input, client);
diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch 
dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch
--- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch        
2026-04-23 09:40:11.000000000 -0400
+++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch        
2026-05-06 07:50:20.000000000 -0400
@@ -11,10 +11,10 @@
  src/imap-login/imap-login-cmd-id.c |  6 +++++-
  3 files changed, 17 insertions(+), 3 deletions(-)
 
-Index: dovecot/src/imap-login/imap-login-client.c
+Index: 2.3/src/imap-login/imap-login-client.c
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-client.c
-+++ dovecot/src/imap-login/imap-login-client.c
+--- 2.3.orig/src/imap-login/imap-login-client.c
++++ 2.3/src/imap-login/imap-login-client.c
 @@ -375,11 +375,14 @@ static void imap_client_create(struct cl
  {
        struct imap_client *imap_client = (struct imap_client *)client;
@@ -47,10 +47,10 @@
  
        /* CRLF is lost from buffer when streams are reopened. */
        imap_client->skip_line = FALSE;
-Index: dovecot/src/imap-login/imap-login-client.h
+Index: 2.3/src/imap-login/imap-login-client.h
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-client.h
-+++ dovecot/src/imap-login/imap-login-client.h
+--- 2.3.orig/src/imap-login/imap-login-client.h
++++ 2.3/src/imap-login/imap-login-client.h
 @@ -11,6 +11,10 @@
  /* maximum length for IMAP command line. */
  #define IMAP_LOGIN_MAX_LINE_LENGTH 8192
@@ -62,10 +62,10 @@
  enum imap_client_id_state {
        IMAP_CLIENT_ID_STATE_LIST = 0,
        IMAP_CLIENT_ID_STATE_KEY,
-Index: dovecot/src/imap-login/imap-login-cmd-id.c
+Index: 2.3/src/imap-login/imap-login-cmd-id.c
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-cmd-id.c
-+++ dovecot/src/imap-login/imap-login-cmd-id.c
+--- 2.3.orig/src/imap-login/imap-login-cmd-id.c
++++ 2.3/src/imap-login/imap-login-cmd-id.c
 @@ -235,10 +235,14 @@ int cmd_id(struct imap_client *client)
  
        if (client->cmd_id == NULL) {
@@ -79,6 +79,6 @@
                                                IMAP_LOGIN_MAX_LINE_LENGTH,
 -                                              NULL);
 +                                              &params);
-               id->log_reply = str_new(default_pool, 64);
                if (client->set->imap_literal_minus)
                        imap_parser_enable_literal_minus(id->parser);
+               parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST;
diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch 
dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch
--- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch        
2026-04-23 09:40:11.000000000 -0400
+++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch        
2026-05-06 08:02:06.000000000 -0400
@@ -9,10 +9,10 @@
  src/lib-imap/test-imap-parser.c    | 2 +-
  3 files changed, 4 insertions(+), 4 deletions(-)
 
-Index: dovecot/src/imap-login/imap-login-client.c
+Index: 2.3/src/imap-login/imap-login-client.c
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-client.c
-+++ dovecot/src/imap-login/imap-login-client.c
+--- 2.3.orig/src/imap-login/imap-login-client.c
++++ 2.3/src/imap-login/imap-login-client.c
 @@ -375,7 +375,7 @@ static void imap_client_create(struct cl
  {
        struct imap_client *imap_client = (struct imap_client *)client;
@@ -31,10 +31,10 @@
                .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
        };
        imap_parser_unref(&imap_client->parser);
-Index: dovecot/src/imap-login/imap-login-cmd-id.c
+Index: 2.3/src/imap-login/imap-login-cmd-id.c
 ===================================================================
---- dovecot.orig/src/imap-login/imap-login-cmd-id.c
-+++ dovecot/src/imap-login/imap-login-cmd-id.c
+--- 2.3.orig/src/imap-login/imap-login-cmd-id.c
++++ 2.3/src/imap-login/imap-login-cmd-id.c
 @@ -236,7 +236,7 @@ int cmd_id(struct imap_client *client)
        if (client->cmd_id == NULL) {
                client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
@@ -44,10 +44,10 @@
                        .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
                };
                id->parser = imap_parser_create(client->common.input,
-Index: dovecot/src/lib-imap/test-imap-parser.c
+Index: 2.3/src/lib-imap/test-imap-parser.c
 ===================================================================
---- dovecot.orig/src/lib-imap/test-imap-parser.c
-+++ dovecot/src/lib-imap/test-imap-parser.c
+--- 2.3.orig/src/lib-imap/test-imap-parser.c
++++ 2.3/src/lib-imap/test-imap-parser.c
 @@ -95,7 +95,7 @@ static void test_imap_parser_list_limit(
        const struct imap_arg *args;

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 12.14

This update has been released as part of Debian 12.14.

--- End Message ---

Bug#1135875: marked as done (bookworm-pu: package dovecot/1:2.3.19.1+dfsg1-2.1+deb12u5)

Reply via email to