import dovecot-2.3.8-3.el8

2020-07-28 07:51:16 -04:00 · 2020-07-28 07:51:16 -04:00 · 21c7747e42
parent 78a48395b6
commit 21c7747e42
3 changed files with 1230 additions and 2 deletions
--- a/SOURCES/dovecot-2.3.10-CVE_2020_10957,10958,10967.patch
+++ b/SOURCES/dovecot-2.3.10-CVE_2020_10957,10958,10967.patch
--- a/SOURCES/dovecot-2.3.10-smtppre.patch
+++ b/SOURCES/dovecot-2.3.10-smtppre.patch
@ -0,0 +1,121 @@
+diff -up dovecot-2.3.8/src/lib-smtp/smtp-address.c.smtppre dovecot-2.3.8/src/lib-smtp/smtp-address.c
+--- dovecot-2.3.8/src/lib-smtp/smtp-address.c.smtppre	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib-smtp/smtp-address.c	2020-05-29 19:11:19.340621409 +0200
+@@ -467,7 +467,7 @@ void smtp_address_detail_parse(pool_t po
+ 		*detail_r = p+1;
+ 	}
+ 
+-	if (address->domain == NULL)
+	if (address->domain == NULL || *address->domain == '\0')
+ 		*username_r = user;
+ 	else if (strchr(user, '@') == NULL ) {
+ 		/* username is just glued to the domain... no SMTP escaping */
+@@ -548,7 +548,7 @@ void smtp_address_write(string_t *out,
+ 	if (quoted)
+ 		str_append_c(out, '\"');
+ 
+-	if (address->domain == NULL)
+	if (address->domain == NULL || *address->domain == '\0')
+ 		return;
+ 
+ 	str_append_c(out, '@');
+@@ -587,8 +587,12 @@ void smtp_address_init(struct smtp_addre
+ 	const char *localpart, const char *domain)
+ {
+ 	i_zero(address);
+	if (localpart == NULL || *localpart == '\0')
+		return;
+
+ 	address->localpart = localpart;
+-	address->domain = (localpart == NULL ? NULL : domain);
+	if (domain != NULL && *domain != '\0')
+		address->domain = domain;
+ }
+ 
+ int smtp_address_init_from_msg(struct smtp_address *address,
+@@ -597,7 +601,7 @@ int smtp_address_init_from_msg(struct sm
+ 	const char *p;
+ 
+ 	i_zero(address);
+-	if (msg_addr->mailbox == NULL)
+	if (msg_addr->mailbox == NULL || *msg_addr->mailbox == '\0')
+ 		return 0;
+ 
+ 	/* The message_address_parse() function allows UTF-8 codepoints in
+@@ -609,7 +613,8 @@ int smtp_address_init_from_msg(struct sm
+ 	}
+ 
+ 	address->localpart = msg_addr->mailbox;
+-	address->domain = msg_addr->domain;
+	if (msg_addr->domain != NULL && *msg_addr->domain != '\0')
+		address->domain = msg_addr->domain;
+ 	return 0;
+ }
+ 
+@@ -617,8 +622,8 @@ struct smtp_address *
+ smtp_address_clone(pool_t pool, const struct smtp_address *src)
+ {
+ 	struct smtp_address *new;
+-	size_t size, lpsize, dsize = 0;
+-	char *data, *localpart, *domain = NULL;
+	size_t size, lpsize = 0, dsize = 0;
+	char *data, *localpart = NULL, *domain = NULL;
+ 
+ 	if (smtp_address_isnull(src))
+ 		return NULL;
+@@ -626,17 +631,21 @@ smtp_address_clone(pool_t pool, const st
+ 	/* @UNSAFE */
+ 
+ 	size = sizeof(struct smtp_address);
+-	lpsize = strlen(src->localpart) + 1;
+-	size = MALLOC_ADD(size, lpsize);
+-	if (src->domain != NULL) {
+	if (src->localpart != NULL && *src->localpart != '\0') {
+		lpsize = strlen(src->localpart) + 1;
+		size = MALLOC_ADD(size, lpsize);
+	}
+	if (src->domain != NULL && *src->domain != '\0') {
+ 		dsize = strlen(src->domain) + 1;
+ 		size = MALLOC_ADD(size, dsize);
+ 	}
+ 
+ 	data = p_malloc(pool, size);
+ 	new = (struct smtp_address *)data;
+-	localpart = PTR_OFFSET(data, sizeof(*new));
+-	memcpy(localpart, src->localpart, lpsize);
+	if (lpsize > 0) {
+		localpart = PTR_OFFSET(data, sizeof(*new));
+		memcpy(localpart, src->localpart, lpsize);
+	}
+ 	if (dsize > 0) {
+ 		domain = PTR_OFFSET(data, sizeof(*new) + lpsize);
+ 		memcpy(domain, src->domain, dsize);
+@@ -681,8 +690,8 @@ smtp_address_clone_temp(const struct smt
+ 		return NULL;
+ 
+ 	new = t_new(struct smtp_address, 1);
+-	new->localpart = t_strdup(src->localpart);
+-	new->domain = t_strdup(src->domain);
+	new->localpart = t_strdup_empty(src->localpart);
+	new->domain = t_strdup_empty(src->domain);
+ 	return new;
+ }
+ 
+@@ -720,7 +729,7 @@ smtp_address_add_detail(pool_t pool, con
+ 	new_addr = p_new(pool, struct smtp_address, 1);
+ 	new_addr->localpart = p_strconcat(pool,
+ 		address->localpart, delim, detail, NULL);
+-	new_addr->domain = p_strdup(pool, address->domain);
+	new_addr->domain = p_strdup_empty(pool, address->domain);
+ 
+ 	return new_addr;
+ }
+@@ -737,7 +746,7 @@ smtp_address_add_detail_temp(const struc
+ 	new_addr = t_new(struct smtp_address, 1);
+ 	new_addr->localpart = t_strconcat(
+ 		address->localpart, delim, detail, NULL);
+-	new_addr->domain = t_strdup(address->domain);
+	new_addr->domain = t_strdup_empty(address->domain);
+ 
+ 	return new_addr;
+ }
--- a/SPECS/dovecot.spec
+++ b/SPECS/dovecot.spec
@ -5,7 +5,7 @@ Name: dovecot
 Epoch: 1
 Version: 2.3.8
 %global prever %{nil}
-Release: 1%{?dist}
+Release: 3%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 Group: System Environment/Daemons
@ -44,6 +44,10 @@ Patch13: dovecot-2.2.36-bigkey.patch
 # hard to break circular dependency between lib and lib-dcrypt
 Patch14: dovecot-2.3.6-opensslhmac.patch

+# from upstream, for dovecot < 2.3.10.1
+Patch15: dovecot-2.3.10-smtppre.patch
+Patch16: dovecot-2.3.10-CVE_2020_10957,10958,10967.patch
+
 Source15: prestartscript

 BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
@ -148,6 +152,8 @@ This package provides the development files for dovecot.
 %patch11 -p1 -b .aclfix
 %patch13 -p1 -b .bigkey
 %patch14 -p1 -b .opensslhmac
+%patch15 -p1 -b .smtppre
+%patch16 -p1 -b .CVE_2020_10957,10958,10967
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}

 popd
@ -312,7 +318,7 @@ fi
 install -d -m 0755 -g dovecot -d /var/run/dovecot
 install -d -m 0755 -d /var/run/dovecot/empty
 install -d -m 0750 -g dovenull -d /var/run/dovecot/login
-install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login
+install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login
 [ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||:

 %preun
@ -449,6 +455,7 @@ make check

 %attr(0755,root,dovecot) %ghost /var/run/dovecot
 %attr(0750,root,dovenull) %ghost /var/run/dovecot/login
+%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login
 %attr(0755,root,root) %ghost /var/run/dovecot/empty
 %attr(0750,dovecot,dovecot) /var/lib/dovecot

@ -506,6 +513,16 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
+* Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3
+- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354)
+- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines
+  leads to use-after-free (#1840357)
+- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
+  leads to DoS (#1840356)
+
+* Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2
+- fix default attributes for ghost files
+
 * Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
 - dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)