Hello community, here is the log from the commit of package dovecot23 for openSUSE:Factory checked in at 2018-03-07 10:39:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot23 (Old) and /work/SRC/openSUSE:Factory/.dovecot23.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot23" Wed Mar 7 10:39:34 2018 rev:3 rq:583681 version:2.3.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot23/dovecot23.changes 2018-01-10 23:35:43.722444855 +0100 +++ /work/SRC/openSUSE:Factory/.dovecot23.new/dovecot23.changes 2018-03-07 10:39:51.243275430 +0100 @@ -1,0 +2,41 @@ +Tue Mar 6 19:28:49 UTC 2018 - [email protected] + +- update pigeonhole to 0.5.0.1 + - imap4flags extension: Fix binary corruption occurring when + setflag/addflag/removeflag flag-list is a variable. + - sieve-extprograms plugin: Fix segfault occurring when used in + IMAPSieve context. +- drop 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch + +------------------------------------------------------------------- +Tue Mar 6 17:54:58 UTC 2018 - [email protected] + +- pull backport patch dovecot-2.3.0.1-over-quota-lmtp-crash.patch + +------------------------------------------------------------------- +Tue Mar 6 13:48:50 UTC 2018 - [email protected] + +- update to 2.3.0.1 + * CVE-2017-15130: TLS SNI config lookups may lead to excessive + memory usage, causing imap-login/pop3-login VSZ limit to be + reached and the process restarted. This happens only if Dovecot + config has local_name { } or local { } configuration blocks and + attacker uses randomly generated SNI servernames. + * CVE-2017-14461: Parsing invalid email addresses may cause a + crash or leak memory contents to attacker. For example, these + memory contents might contain parts of an email from another + user if the same imap process is reused for multiple users. + First discovered by Aleksandar Nikolic of Cisco Talos. + Independently also discovered by "flxflndy" via HackerOne. + * CVE-2017-15132: Aborted SASL authentication leaks memory in + login process. + * Linux: Core dumping is no longer enabled by default via + PR_SET_DUMPABLE, because this may allow attackers to bypass + chroot/group restrictions. Found by cPanel Security Team. + Nowadays core dumps can be safely enabled by using "sysctl -w + fs.suid_dumpable=2". If the old behaviour is wanted, it can + still be enabled by setting: + import_environment=$import_environment PR_SET_DUMPABLE=1 + - imap-login with SSL/TLS connections may end up in infinite loop + +------------------------------------------------------------------- Old: ---- 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch dovecot-2.3-pigeonhole-0.5.0.tar.gz dovecot-2.3.0.tar.gz New: ---- dovecot-2.3-pigeonhole-0.5.0.1.tar.gz dovecot-2.3.0.1-over-quota-lmtp-crash.patch dovecot-2.3.0.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot23.spec ++++++ --- /var/tmp/diff_new_pack.uzV0Z7/_old 2018-03-07 10:39:53.467195212 +0100 +++ /var/tmp/diff_new_pack.uzV0Z7/_new 2018-03-07 10:39:53.471195067 +0100 @@ -1,7 +1,7 @@ # -# spec file for package dovecot22 +# spec file for package dovecot23 # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,11 +17,11 @@ Name: dovecot23 -Version: 2.3.0 +Version: 2.3.0.1 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.0 -%define dovecot_pigeonhole_version 0.5.0 +%define dovecot_version 2.3.0.1 +%define dovecot_pigeonhole_version 0.5.0.1 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole @@ -133,7 +133,7 @@ Source9: dovecot-2.3-pigeonhole.configfiles Patch: dovecot-2.3.0-dont_use_etc_ssl_certs.patch Patch1: dovecot-2.3.0-better_ssl_defaults.patch -Patch2: https://github.com/stephanbosch/pigeonhole-core/commit/321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch +Patch2: dovecot-2.3.0.1-over-quota-lmtp-crash.patch Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause and LGPL-2.1+ and MIT Group: Productivity/Networking/Email/Servers @@ -310,12 +310,10 @@ dovecot tree. %prep -%setup -q -n %{pkg_name}-ce-%{dovecot_version} -a 1 +%setup -q -n %{pkg_name}-%{dovecot_version} -a 1 %patch -p1 %patch1 -p1 -pushd %{dovecot_pigeonhole_source_dir} %patch2 -p1 -popd gzip -9v ChangeLog # Fix plugins dir. sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf ++++++ dovecot-2.3-pigeonhole-0.5.0.tar.gz -> dovecot-2.3-pigeonhole-0.5.0.1.tar.gz ++++++ ++++ 3867 lines of diff (skipped) ++++++ dovecot-2.3.0.1-over-quota-lmtp-crash.patch ++++++ >From 2bf919786518d138cc07d9cc21e14ad5e07e5e56 Mon Sep 17 00:00:00 2001 From: Stephan Bosch <[email protected]> Date: Wed, 17 Jan 2018 21:26:44 +0100 Subject: [PATCH] lmtp: local: Fix segfault occurring when quota is exceeded. --- src/lmtp/lmtp-local.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lmtp/lmtp-local.c b/src/lmtp/lmtp-local.c index fa1ce5d869..5b5fe51a95 100644 --- a/src/lmtp/lmtp-local.c +++ b/src/lmtp/lmtp-local.c @@ -133,7 +133,7 @@ static void lmtp_local_rcpt_reply_overquota(struct lmtp_local_recipient *rcpt, const char *error) { - struct smtp_address *address = rcpt->rcpt.rcpt->path; + struct smtp_address *address = rcpt->rcpt.path; struct lda_settings *lda_set = mail_storage_service_user_get_set(rcpt->service_user)[2]; >From cdbcc8db8e0a04b2cbf6ca9f20b3ee7f7173552d Mon Sep 17 00:00:00 2001 From: Stephan Bosch <[email protected]> Date: Wed, 31 Jan 2018 10:30:23 +0100 Subject: [PATCH 1/3] lmtp: local: Make local variable for rcpt->rcpt.rcpt_cmd in lmtp_local_rcpt_check_quota(). --- src/lmtp/lmtp-local.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/lmtp/lmtp-local.c b/src/lmtp/lmtp-local.c index c770e35e5b..d0ee4b312e 100644 --- a/src/lmtp/lmtp-local.c +++ b/src/lmtp/lmtp-local.c @@ -195,6 +195,7 @@ static int lmtp_local_rcpt_check_quota(struct lmtp_local_recipient *rcpt) { struct client *client = rcpt->rcpt.client; + struct smtp_server_cmd_ctx *cmd = rcpt->rcpt.rcpt_cmd; struct smtp_address *address = rcpt->rcpt.path; struct mail_user *user; struct mail_namespace *ns; @@ -245,10 +246,10 @@ lmtp_local_rcpt_check_quota(struct lmtp_local_recipient *rcpt) } if (ret < 0 && - !smtp_server_command_is_replied(rcpt->rcpt.rcpt_cmd->cmd)) { - smtp_server_reply(rcpt->rcpt.rcpt_cmd, - 451, "4.3.0", "<%s> Temporary internal error", - smtp_address_encode(address)); + !smtp_server_command_is_replied(cmd->cmd)) { + smtp_server_reply(cmd, 451, "4.3.0", + "<%s> Temporary internal error", + smtp_address_encode(address)); } return ret; } >From c23717da4af9d3275cb45cbc67faaa8daa353ec1 Mon Sep 17 00:00:00 2001 From: Stephan Bosch <[email protected]> Date: Wed, 31 Jan 2018 10:34:11 +0100 Subject: [PATCH 2/3] lmtp: local: Add explicit cmd parameter to lmtp_local_rcpt_reply_overquota(). Using the RCPT cmd is only valid for the RCPT command and not when quota excess is detected during DATA. That would cause a segmentation fault, since rcpt->rcpt.rcpt_cmd == NULL. --- src/lmtp/lmtp-local.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/lmtp/lmtp-local.c b/src/lmtp/lmtp-local.c index d0ee4b312e..c19c449e61 100644 --- a/src/lmtp/lmtp-local.c +++ b/src/lmtp/lmtp-local.c @@ -134,6 +134,7 @@ lmtp_local_rcpt_deinit(struct lmtp_local_recipient *rcpt) static void lmtp_local_rcpt_reply_overquota(struct lmtp_local_recipient *rcpt, + struct smtp_server_cmd_ctx *cmd, const char *error) { struct smtp_address *address = rcpt->rcpt.path; @@ -141,13 +142,11 @@ lmtp_local_rcpt_reply_overquota(struct lmtp_local_recipient *rcpt, mail_storage_service_user_get_set(rcpt->service_user)[2]; if (lda_set->quota_full_tempfail) { - smtp_server_reply(rcpt->rcpt.rcpt_cmd, - 452, "4.2.2", "<%s> %s", - smtp_address_encode(address), error); + smtp_server_reply(cmd, 452, "4.2.2", "<%s> %s", + smtp_address_encode(address), error); } else { - smtp_server_reply(rcpt->rcpt.rcpt_cmd, - 552, "5.2.2", "<%s> %s", - smtp_address_encode(address), error); + smtp_server_reply(cmd, 552, "5.2.2", "<%s> %s", + smtp_address_encode(address), error); } } @@ -232,7 +231,7 @@ lmtp_local_rcpt_check_quota(struct lmtp_local_recipient *rcpt) if (ret < 0) { error = mailbox_get_last_error(box, &mail_error); if (mail_error == MAIL_ERROR_NOQUOTA) { - lmtp_local_rcpt_reply_overquota(rcpt, error); + lmtp_local_rcpt_reply_overquota(rcpt, cmd, error); } else { i_error("mailbox_get_status(%s, STATUS_CHECK_OVER_QUOTA) " "failed: %s", @@ -623,7 +622,7 @@ lmtp_local_deliver(struct lmtp_local *local, } else if (storage != NULL) { error = mail_storage_get_last_error(storage, &mail_error); if (mail_error == MAIL_ERROR_NOQUOTA) { - lmtp_local_rcpt_reply_overquota(rcpt, error); + lmtp_local_rcpt_reply_overquota(rcpt, cmd, error); } else { smtp_server_reply_index(cmd, rcpt_idx, 451, "4.2.0", "<%s> %s", >From f8d9e6c977847a411af9986c9be62f74e4b06143 Mon Sep 17 00:00:00 2001 From: Stephan Bosch <[email protected]> Date: Wed, 31 Jan 2018 10:27:54 +0100 Subject: [PATCH 3/3] lmtp: local: Use recipient index in lmtp_local_rcpt_reply_overquota(). When used during the DATA command, it should send a reply for the correct recipient. During the RCPT command there is only one reply due. Added assert that checks this. --- src/lmtp/lmtp-local.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/lmtp/lmtp-local.c b/src/lmtp/lmtp-local.c index c19c449e61..0b5e7e06ec 100644 --- a/src/lmtp/lmtp-local.c +++ b/src/lmtp/lmtp-local.c @@ -138,15 +138,18 @@ lmtp_local_rcpt_reply_overquota(struct lmtp_local_recipient *rcpt, const char *error) { struct smtp_address *address = rcpt->rcpt.path; + unsigned int rcpt_idx = rcpt->rcpt.index; struct lda_settings *lda_set = mail_storage_service_user_get_set(rcpt->service_user)[2]; + i_assert(rcpt_idx == 0 || rcpt->rcpt.rcpt_cmd == NULL); + if (lda_set->quota_full_tempfail) { - smtp_server_reply(cmd, 452, "4.2.2", "<%s> %s", - smtp_address_encode(address), error); + smtp_server_reply_index(cmd, rcpt_idx, 452, "4.2.2", "<%s> %s", + smtp_address_encode(address), error); } else { - smtp_server_reply(cmd, 552, "5.2.2", "<%s> %s", - smtp_address_encode(address), error); + smtp_server_reply_index(cmd, rcpt_idx, 552, "5.2.2", "<%s> %s", + smtp_address_encode(address), error); } } ++++++ dovecot-2.3-pigeonhole-0.5.0.tar.gz -> dovecot-2.3.0.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/dovecot23/dovecot-2.3-pigeonhole-0.5.0.tar.gz /work/SRC/openSUSE:Factory/.dovecot23.new/dovecot-2.3.0.1.tar.gz differ: char 5, line 1
