Hello community, here is the log from the commit of package dovecot23 for openSUSE:Factory checked in at 2019-08-29 17:28:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot23 (Old) and /work/SRC/openSUSE:Factory/.dovecot23.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot23" Thu Aug 29 17:28:03 2019 rev:20 rq:726988 version:2.3.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot23/dovecot23.changes 2019-07-26 12:40:23.853906983 +0200 +++ /work/SRC/openSUSE:Factory/.dovecot23.new.7948/dovecot23.changes 2019-08-29 17:28:07.595262212 +0200 @@ -1,0 +2,17 @@ +Wed Aug 28 16:57:12 UTC 2019 - Marcus Rueckert <[email protected]> + +- update to 2.3.7.2 + * CVE-2019-11500: IMAP protocol parser does not properly handle + NUL byte when scanning data in quoted strings, leading to out + of bounds heap memory writes. Found by Nick Roessler and Rafi + Rubin. (boo#1145559) +- update pigeonhole to 0.5.7.2 + * CVE-2019-11500: ManageSieve protocol parser does not properly + handle NUL byte when scanning data in quoted strings, leading + to out of bounds heap memory writes. Found by Nick Roessler and + Rafi Rubin. (boo#1145559) +- refreshed patches to apply cleanly again: + dovecot-2.3.0-better_ssl_defaults.patch + dovecot-2.3.0-dont_use_etc_ssl_certs.patch + +------------------------------------------------------------------- Old: ---- dovecot-2.3-pigeonhole-0.5.7.1.tar.gz dovecot-2.3-pigeonhole-0.5.7.1.tar.gz.sig dovecot-2.3.7.1.tar.gz dovecot-2.3.7.1.tar.gz.sig New: ---- dovecot-2.3-pigeonhole-0.5.7.2.tar.gz dovecot-2.3-pigeonhole-0.5.7.2.tar.gz.sig dovecot-2.3.7.2.tar.gz dovecot-2.3.7.2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot23.spec ++++++ --- /var/tmp/diff_new_pack.j75c5r/_old 2019-08-29 17:28:08.755262032 +0200 +++ /var/tmp/diff_new_pack.j75c5r/_new 2019-08-29 17:28:08.755262032 +0200 @@ -12,16 +12,16 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: dovecot23 -Version: 2.3.7.1 +Version: 2.3.7.2 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.7.1 -%define dovecot_pigeonhole_version 0.5.7.1 +%define dovecot_version 2.3.7.2 +%define dovecot_pigeonhole_version 0.5.7.2 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole ++++++ dovecot-2.3-pigeonhole-0.5.7.1.tar.gz -> dovecot-2.3-pigeonhole-0.5.7.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dovecot-2.3-pigeonhole-0.5.7.1/ChangeLog new/dovecot-2.3-pigeonhole-0.5.7.2/ChangeLog --- old/dovecot-2.3-pigeonhole-0.5.7.1/ChangeLog 2019-07-23 12:20:56.000000000 +0200 +++ new/dovecot-2.3-pigeonhole-0.5.7.2/ChangeLog 2019-08-26 12:38:11.000000000 +0200 @@ -1,3 +1,37 @@ +2019-08-23 09:48:58 +0300 Aki Tuomi <[email protected]> (7372921a) + + Released 0.5.7.2 + + +M NEWS +M configure.ac + +2019-05-17 10:39:25 +0300 Timo Sirainen <[email protected]> (4a299840) + + lib-managesieve: Make sure str_unescape() won't be writing past allocated + memory + + The previous commit should already prevent this, but this makes sure it + can't become broken in the future either. It makes the performance a tiny + bit worse, but that's not practically noticeable. + +M src/lib-managesieve/managesieve-parser.c + +2019-05-10 19:43:55 +0300 Timo Sirainen <[email protected]> (7ce9990a) + + lib-managesieve: Don't accept strings with NULs + + ManageSieve doesn't allow NULs in strings. + + This fixes a bug with unescaping a string with NULs: str_unescape() could + have been called for memory that points outside the allocated string, + causing heap corruption. This could cause crashes or theoretically even + result in remote code execution exploit. + + Found by Nick Roessler and Rafi Rubin + +M src/lib-managesieve/managesieve-parser.c + 2019-07-22 14:02:50 +0300 Timo Sirainen <[email protected]> (db5c74be) Released v0.5.7.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dovecot-2.3-pigeonhole-0.5.7.1/NEWS new/dovecot-2.3-pigeonhole-0.5.7.2/NEWS --- old/dovecot-2.3-pigeonhole-0.5.7.1/NEWS 2019-07-23 12:20:46.000000000 +0200 +++ new/dovecot-2.3-pigeonhole-0.5.7.2/NEWS 2019-08-26 12:38:00.000000000 +0200 @@ -1,3 +1,9 @@ +v0.5.7.2 2019-08-28 Aki Tuomi <[email protected]> + + * CVE-2019-11500: ManageSieve protocol parser does not properly handle + NUL byte when scanning data in quoted strings, leading to out of + bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. + v0.5.7.1 2019-07-23 Timo Sirainen <[email protected]> - dsync: Sieve script syncing failed if mailbox attributes weren't diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dovecot-2.3-pigeonhole-0.5.7.1/configure new/dovecot-2.3-pigeonhole-0.5.7.2/configure --- old/dovecot-2.3-pigeonhole-0.5.7.1/configure 2019-07-23 12:20:51.000000000 +0200 +++ new/dovecot-2.3-pigeonhole-0.5.7.2/configure 2019-08-26 12:38:05.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Pigeonhole 0.5.7.1. +# Generated by GNU Autoconf 2.69 for Pigeonhole 0.5.7.2. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='Pigeonhole' PACKAGE_TARNAME='dovecot-2.3-pigeonhole' -PACKAGE_VERSION='0.5.7.1' -PACKAGE_STRING='Pigeonhole 0.5.7.1' +PACKAGE_VERSION='0.5.7.2' +PACKAGE_STRING='Pigeonhole 0.5.7.2' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1413,7 +1413,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Pigeonhole 0.5.7.1 to adapt to many kinds of systems. +\`configure' configures Pigeonhole 0.5.7.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1485,7 +1485,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Pigeonhole 0.5.7.1:";; + short | recursive ) echo "Configuration of Pigeonhole 0.5.7.2:";; esac cat <<\_ACEOF @@ -1610,7 +1610,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Pigeonhole configure 0.5.7.1 +Pigeonhole configure 0.5.7.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1979,7 +1979,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Pigeonhole $as_me 0.5.7.1, which was +It was created by Pigeonhole $as_me 0.5.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2869,7 +2869,7 @@ # Define the identity of the package. PACKAGE='dovecot-2.3-pigeonhole' - VERSION='0.5.7.1' + VERSION='0.5.7.2' # Some tools Automake needs. @@ -13907,7 +13907,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Pigeonhole $as_me 0.5.7.1, which was +This file was extended by Pigeonhole $as_me 0.5.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13973,7 +13973,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Pigeonhole config.status 0.5.7.1 +Pigeonhole config.status 0.5.7.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dovecot-2.3-pigeonhole-0.5.7.1/configure.ac new/dovecot-2.3-pigeonhole-0.5.7.2/configure.ac --- old/dovecot-2.3-pigeonhole-0.5.7.1/configure.ac 2019-07-23 12:20:46.000000000 +0200 +++ new/dovecot-2.3-pigeonhole-0.5.7.2/configure.ac 2019-08-26 12:38:00.000000000 +0200 @@ -2,7 +2,7 @@ # Be sure to update ABI version also if anything changes that might require # recompiling plugins. Most importantly that means if any structs are changed. -AC_INIT([Pigeonhole], [0.5.7.1], [[email protected]], [dovecot-2.3-pigeonhole]) +AC_INIT([Pigeonhole], [0.5.7.2], [[email protected]], [dovecot-2.3-pigeonhole]) AC_DEFINE_UNQUOTED([PIGEONHOLE_ABI_VERSION], "0.5.ABIv7($PACKAGE_VERSION)", [Pigeonhole ABI version]) AC_CONFIG_AUX_DIR([.]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dovecot-2.3-pigeonhole-0.5.7.1/pigeonhole-version.h new/dovecot-2.3-pigeonhole-0.5.7.2/pigeonhole-version.h --- old/dovecot-2.3-pigeonhole-0.5.7.1/pigeonhole-version.h 2019-07-23 12:20:56.000000000 +0200 +++ new/dovecot-2.3-pigeonhole-0.5.7.2/pigeonhole-version.h 2019-08-26 12:38:11.000000000 +0200 @@ -1,6 +1,6 @@ #ifndef PIGEONHOLE_VERSION_H #define PIGEONHOLE_VERSION_H -#define PIGEONHOLE_VERSION_FULL PIGEONHOLE_VERSION" (db5c74be)" +#define PIGEONHOLE_VERSION_FULL PIGEONHOLE_VERSION" (7372921a)" #endif /* PIGEONHOLE_VERSION_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dovecot-2.3-pigeonhole-0.5.7.1/src/lib-managesieve/managesieve-parser.c new/dovecot-2.3-pigeonhole-0.5.7.2/src/lib-managesieve/managesieve-parser.c --- old/dovecot-2.3-pigeonhole-0.5.7.1/src/lib-managesieve/managesieve-parser.c 2019-07-23 12:20:46.000000000 +0200 +++ new/dovecot-2.3-pigeonhole-0.5.7.2/src/lib-managesieve/managesieve-parser.c 2019-08-26 12:38:00.000000000 +0200 @@ -169,10 +169,8 @@ /* remove the escapes */ if (parser->str_first_escape >= 0 && - (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) { - /* -1 because we skipped the '"' prefix */ - str_unescape(str + parser->str_first_escape-1); - } + (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) + (void)str_unescape(str); arg->_data.str = str; arg->str_len = strlen(str); @@ -258,6 +256,11 @@ break; } + if (data[i] == '\0') { + parser->error = "NULs not allowed in strings"; + return FALSE; + } + if (data[i] == '\\') { if (i+1 == data_size) { /* known data ends with '\' - leave it to ++++++ dovecot-2.3.0-better_ssl_defaults.patch ++++++ --- /var/tmp/diff_new_pack.j75c5r/_old 2019-08-29 17:28:09.107261977 +0200 +++ /var/tmp/diff_new_pack.j75c5r/_new 2019-08-29 17:28:09.107261977 +0200 @@ -1,7 +1,7 @@ -Index: dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf +Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf =================================================================== ---- dovecot-2.3.2.orig/doc/example-config/conf.d/10-ssl.conf -+++ dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf ++++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf @@ -9,8 +9,8 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed @@ -13,7 +13,7 @@ # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often -@@ -57,6 +57,7 @@ ssl_key = </etc/ssl/private/dovecot.pem +@@ -60,6 +60,7 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH @@ -21,7 +21,7 @@ # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an -@@ -65,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem +@@ -68,6 +69,7 @@ ssl_key = </etc/ssl/private/dovecot.pem # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no @@ -29,16 +29,16 @@ # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = -@@ -73,3 +75,4 @@ ssl_key = </etc/ssl/private/dovecot.pem +@@ -76,3 +78,4 @@ ssl_key = </etc/ssl/private/dovecot.pem # compression - Enable compression. # no_ticket - Disable SSL session tickets. #ssl_options = +ssl_options = no_compression -Index: dovecot-2.3.2/src/lib-master/master-service-ssl-settings.c +Index: dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c =================================================================== ---- dovecot-2.3.2.orig/src/lib-master/master-service-ssl-settings.c -+++ dovecot-2.3.2/src/lib-master/master-service-ssl-settings.c -@@ -59,7 +59,7 @@ static const struct master_service_ssl_s +--- dovecot-2.3.7.2.orig/src/lib-master/master-service-ssl-settings.c ++++ dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c +@@ -61,7 +61,7 @@ static const struct master_service_ssl_s .ssl_client_cert = "", .ssl_client_key = "", .ssl_dh = "", ++++++ dovecot-2.3.0-dont_use_etc_ssl_certs.patch ++++++ --- /var/tmp/diff_new_pack.j75c5r/_old 2019-08-29 17:28:09.115261975 +0200 +++ /var/tmp/diff_new_pack.j75c5r/_new 2019-08-29 17:28:09.115261975 +0200 @@ -1,7 +1,7 @@ -Index: dovecot-2.3.0.rc1/doc/example-config/conf.d/10-ssl.conf +Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf =================================================================== ---- dovecot-2.3.0.rc1.orig/doc/example-config/conf.d/10-ssl.conf -+++ dovecot-2.3.0.rc1/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf ++++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf @@ -9,7 +9,7 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed @@ -11,11 +11,11 @@ ssl_key = </etc/ssl/private/dovecot.pem # If key file is password protected, give the password here. Alternatively -Index: dovecot-2.3.0.rc1/doc/man/doveconf.1.in +Index: dovecot-2.3.7.2/doc/man/doveconf.1.in =================================================================== ---- dovecot-2.3.0.rc1.orig/doc/man/doveconf.1.in -+++ dovecot-2.3.0.rc1/doc/man/doveconf.1.in -@@ -126,7 +126,7 @@ Dump settings in simplified machine pars +--- dovecot-2.3.7.2.orig/doc/man/doveconf.1.in ++++ dovecot-2.3.7.2/doc/man/doveconf.1.in +@@ -132,7 +132,7 @@ Show passwords and other sensitive value .TP .B \-x Expand configuration variables (e.g. \(Domail_plugins \(rA quota) and show @@ -24,17 +24,17 @@ .\"--------------------------------- .TP .I section_name -@@ -207,4 +207,4 @@ dict/quota = pgsql:@pkgsysconfdir@/dovec +@@ -213,4 +213,4 @@ dict/quota = pgsql:@pkgsysconfdir@/dovec .BR doveadm (1), .BR dovecot (1), .BR dovecot\-lda (1), -.BR dsync (1) \ No newline at end of file +.BR dsync (1) -Index: dovecot-2.3.0.rc1/doc/mkcert.sh +Index: dovecot-2.3.7.2/doc/mkcert.sh =================================================================== ---- dovecot-2.3.0.rc1.orig/doc/mkcert.sh -+++ dovecot-2.3.0.rc1/doc/mkcert.sh +--- dovecot-2.3.7.2.orig/doc/mkcert.sh ++++ dovecot-2.3.7.2/doc/mkcert.sh @@ -8,10 +8,10 @@ OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} @@ -48,10 +48,10 @@ KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then -Index: dovecot-2.3.0.rc1/doc/wiki/CompilingSource.txt +Index: dovecot-2.3.7.2/doc/wiki/CompilingSource.txt =================================================================== ---- dovecot-2.3.0.rc1.orig/doc/wiki/CompilingSource.txt -+++ dovecot-2.3.0.rc1/doc/wiki/CompilingSource.txt +--- dovecot-2.3.7.2.orig/doc/wiki/CompilingSource.txt ++++ dovecot-2.3.7.2/doc/wiki/CompilingSource.txt @@ -142,7 +142,7 @@ non-standard path. Make sure you have th installed, and if it is not in the standard location, set 'CPPFLAGS' and 'LDFLAGS' as shown in <the first section above.> [CompilingSource.txt] @@ -61,10 +61,10 @@ the private key from '/etc/ssl/private/dovecot.pem'. The '/etc/ssl' directory can be changed using the '--with-ssldir=DIR' configure option. Both can of course be overridden from the configuration file. -Index: dovecot-2.3.0.rc1/doc/wiki/SSL.CertificateCreation.txt +Index: dovecot-2.3.7.2/doc/wiki/SSL.CertificateCreation.txt =================================================================== ---- dovecot-2.3.0.rc1.orig/doc/wiki/SSL.CertificateCreation.txt -+++ dovecot-2.3.0.rc1/doc/wiki/SSL.CertificateCreation.txt +--- dovecot-2.3.7.2.orig/doc/wiki/SSL.CertificateCreation.txt ++++ dovecot-2.3.7.2/doc/wiki/SSL.CertificateCreation.txt @@ -39,7 +39,7 @@ CN matches the connected host name, othe invalid. It's also possible to use wildcards (eg. *.domain.com) in the host name. They should work with most clients. @@ -74,11 +74,11 @@ private key file is created to '/etc/ssl/private/dovecot.pem'. Also by default the certificate will expire in 365 days. If you wish to change any of these, modify the mkcert.sh script. -Index: dovecot-2.3.0.rc1/doc/wiki/SSL.DovecotConfiguration.txt +Index: dovecot-2.3.7.2/doc/wiki/SSL.DovecotConfiguration.txt =================================================================== ---- dovecot-2.3.0.rc1.orig/doc/wiki/SSL.DovecotConfiguration.txt -+++ dovecot-2.3.0.rc1/doc/wiki/SSL.DovecotConfiguration.txt -@@ -6,7 +6,7 @@ The most important SSL settings are (in +--- dovecot-2.3.7.2.orig/doc/wiki/SSL.DovecotConfiguration.txt ++++ dovecot-2.3.7.2/doc/wiki/SSL.DovecotConfiguration.txt +@@ -41,7 +41,7 @@ The most important SSL settings are (in ---%<------------------------------------------------------------------------- ssl = yes # Preferred permissions: root:root 0444 @@ -87,7 +87,7 @@ # Preferred permissions: root:root 0400 ssl_key = </etc/ssl/private/dovecot.pem ---%<------------------------------------------------------------------------- -@@ -35,11 +35,11 @@ override the global setting.: +@@ -73,11 +73,11 @@ override the global setting.: ---%<------------------------------------------------------------------------- protocol imap { @@ -101,7 +101,7 @@ ssl_key = </etc/ssl/private/pop3.pem } ---%<------------------------------------------------------------------------- -@@ -156,11 +156,11 @@ support SNI. +@@ -194,11 +194,11 @@ support SNI. ---%<------------------------------------------------------------------------- local_name imap.example.org { ++++++ dovecot-2.3-pigeonhole-0.5.7.1.tar.gz -> dovecot-2.3.7.2.tar.gz ++++++ /work/SRC/openSUSE:Factory/dovecot23/dovecot-2.3-pigeonhole-0.5.7.1.tar.gz /work/SRC/openSUSE:Factory/.dovecot23.new.7948/dovecot-2.3.7.2.tar.gz differ: char 5, line 1
