Fixed crash in auth process when auth-policy was configured and

authentication was aborted/failed without a username set.
- director: If two users had different tags but the same hash,
  the users may have been redirected to the wrong tag's hosts.
- Index files may have been thought incorrectly lost, causing
  "Missing middle file seq=.." to be logged and index rebuild.
  This happened more easily with IMAP hibernation enabled.
- Various fixes to restoring state correctly in un-hibernation.
- dovecot.index files were commonly 4 bytes per email too large. This
  is because 3 bytes per email were being wasted that could have been
  used for IMAP keywords.
- Various fixes to handle dovecot.list.index corruption better.
- lib-fts: Fixed assert-crash in address tokenizer with specific input.
- Fixed assert-crash in HTML to text parsing with specific input
  (e.g. for FTS indexing or snippet generation)
- doveadm sync -1: Fixed handling mailbox GUID conflicts.
- sdbox, mdbox: Perform full index rebuild if corruption is detected
  inside lib-index, which runs index fsck.
- quota: Don't skip quota checks when moving mails between different
  quota roots.
- search: Multiple sequence sets or UID sets in search parameters
  weren't handled correctly. They were incorrectly merged together.
This commit is contained in:
Michal Hlavinka 2016-12-05 10:41:59 +01:00
parent 828b5d8c85
commit 3203a05c7d
6 changed files with 36 additions and 105 deletions

1
.gitignore vendored
View File

@ -105,3 +105,4 @@ pigeonhole-snap0592366457df.tar.bz2
/dovecot-2.2.25.tar.gz /dovecot-2.2.25.tar.gz
/dovecot-2.2.26.0.tar.gz /dovecot-2.2.26.0.tar.gz
/dovecot-2.2-pigeonhole-0.4.16.tar.gz /dovecot-2.2-pigeonhole-0.4.16.tar.gz
/dovecot-2.2.27.tar.gz

View File

@ -1,8 +1,9 @@
--- dovecot-1.0.rc7/doc/mkcert.sh.mkcert-paths 2006-10-04 11:34:46.000000000 +0200 diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh
+++ dovecot-1.0.rc7/doc/mkcert.sh 2006-10-04 11:35:31.000000000 +0200 --- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths 2016-12-05 10:26:07.913515286 +0100
@@ -4,8 +4,8 @@ +++ dovecot-2.2.27/doc/mkcert.sh 2016-12-05 10:28:25.439634417 +0100
# Edit dovecot-openssl.cnf before running this. @@ -5,8 +5,8 @@
umask 077
OPENSSL=${OPENSSL-openssl} OPENSSL=${OPENSSL-openssl}
-SSLDIR=${SSLDIR-/etc/ssl} -SSLDIR=${SSLDIR-/etc/ssl}
-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} -OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

View File

@ -1,28 +0,0 @@
From 1f2c35da2b96905bec6e45f88af0f33ee63789e6 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Wed, 23 Nov 2016 13:16:19 +0200
Subject: [PATCH] auth: Fix auth-policy crash when username is NULL
If SASL request is invalid, or incomplete, and username
is left NULL, handle it gracefully by adding just
NUL byte in auth policy digest for username.
---
src/auth/auth-policy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c
index c7faa3c..86b31f1 100755
--- a/src/auth/auth-policy.c
+++ b/src/auth/auth-policy.c
@@ -442,7 +442,10 @@ void auth_policy_create_json(struct policy_lookup_ctx *context,
context->set->policy_hash_nonce,
strlen(context->set->policy_hash_nonce));
/* use +1 to make sure \0 gets included */
- digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
+ if (context->request->user == NULL)
+ digest->loop(ctx, "\0", 1);
+ else
+ digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
if (password != NULL)
digest->loop(ctx, password, strlen(password));
ptr = (unsigned char*)str_c_modifiable(buffer);

View File

@ -1,64 +0,0 @@
From 2c3f37672277b1f73f84722802aaa0ab1ab3e413 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Wed, 23 Nov 2016 15:57:03 +0200
Subject: [PATCH] auth: Don't crash expanding %variables when username isn't
set.
This continues the auth-policy fix in
c3d3faa4f72a676e183f34be960cff13a5a725ae
---
src/auth/auth-request-var-expand.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c
index 4f256c0..a04a4d9 100644
--- a/src/auth/auth-request-var-expand.c
+++ b/src/auth/auth-request-var-expand.c
@@ -72,7 +72,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
const unsigned int auth_count =
N_ELEMENTS(auth_request_var_expand_static_tab);
struct var_expand_table *tab, *ret_tab;
- const char *orig_user, *auth_user;
+ const char *orig_user, *auth_user, *username;
if (escape_func == NULL)
escape_func = escape_none;
@@ -87,10 +87,11 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
memcpy(tab, auth_request_var_expand_static_tab,
auth_count * sizeof(*tab));
- tab[0].value = escape_func(auth_request->user, auth_request);
- tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
+ username = auth_request->user != NULL ? auth_request->user : "";
+ tab[0].value = escape_func(username, auth_request);
+ tab[1].value = escape_func(t_strcut(username, '@'),
auth_request);
- tab[2].value = strchr(auth_request->user, '@');
+ tab[2].value = strchr(username, '@');
if (tab[2].value != NULL)
tab[2].value = escape_func(tab[2].value+1, auth_request);
tab[3].value = escape_func(auth_request->service, auth_request);
@@ -138,12 +139,12 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
tab[20].value = net_ip2addr(&auth_request->real_remote_ip);
tab[21].value = dec2str(auth_request->real_local_port);
tab[22].value = dec2str(auth_request->real_remote_port);
- tab[23].value = strchr(auth_request->user, '@');
+ tab[23].value = strchr(username, '@');
if (tab[23].value != NULL) {
tab[23].value = escape_func(t_strcut(tab[23].value+1, '@'),
auth_request);
}
- tab[24].value = strrchr(auth_request->user, '@');
+ tab[24].value = strrchr(username, '@');
if (tab[24].value != NULL)
tab[24].value = escape_func(tab[24].value+1, auth_request);
tab[25].value = auth_request->master_user == NULL ? NULL :
@@ -152,7 +153,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
dec2str(auth_request->session_pid);
orig_user = auth_request->original_username != NULL ?
- auth_request->original_username : auth_request->user;
+ auth_request->original_username : username;
tab[27].value = escape_func(orig_user, auth_request);
tab[28].value = escape_func(t_strcut(orig_user, '@'), auth_request);
tab[29].value = strchr(orig_user, '@');

View File

@ -3,9 +3,9 @@
Summary: Secure imap and pop3 server Summary: Secure imap and pop3 server
Name: dovecot Name: dovecot
Epoch: 1 Epoch: 1
Version: 2.2.26.0 Version: 2.2.27
%global prever %{nil} %global prever %{nil}
Release: 2%{?dist} Release: 1%{?dist}
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT and LGPLv2 License: MIT and LGPLv2
Group: System Environment/Daemons Group: System Environment/Daemons
@ -34,10 +34,6 @@ Patch7: dovecot-2.2.13-online.patch
Patch8: dovecot-2.2.20-initbysystemd.patch Patch8: dovecot-2.2.20-initbysystemd.patch
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
# 2x from upstream, for dovecot < 2.2.27, rhbz#1401025
Patch10: dovecot-2.2.26-CVE-2016-8652a.patch
Patch11: dovecot-2.2.26-CVE-2016-8652b.patch
Source15: prestartscript Source15: prestartscript
BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
@ -133,8 +129,6 @@ This package provides the development files for dovecot.
%patch7 -p1 -b .online %patch7 -p1 -b .online
%patch8 -p1 -b .initbysystemd %patch8 -p1 -b .initbysystemd
%patch9 -p1 -b .systemd_w_protectsystem %patch9 -p1 -b .systemd_w_protectsystem
%patch10 -p1 -b .CVE-2016-8652a
%patch11 -p1 -b .CVE-2016-8652b
#pushd dovecot-2*2-pigeonhole-%{pigeonholever} #pushd dovecot-2*2-pigeonhole-%{pigeonholever}
#popd #popd
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
@ -146,6 +140,7 @@ export CFLAGS="%{__global_cflags} -fno-strict-aliasing"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
# el6 autoconf too old to regen; use packaged files (#1082384) # el6 autoconf too old to regen; use packaged files (#1082384)
%if %{?fedora}00%{?rhel} > 6 %if %{?fedora}00%{?rhel} > 6
mkdir -p m4
autoreconf -I . -fiv #required for aarch64 support autoreconf -I . -fiv #required for aarch64 support
%endif %endif
%configure \ %configure \
@ -424,6 +419,8 @@ make check
%{_libdir}/dovecot/libdriver_sqlite.so %{_libdir}/dovecot/libdriver_sqlite.so
%{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libssl_iostream_openssl.so
%{_libdir}/dovecot/libfs_compress.so %{_libdir}/dovecot/libfs_compress.so
%{_libdir}/dovecot/libfs_crypt.so
%{_libdir}/dovecot/libfs_mail_crypt.so
%{_libdir}/dovecot/libdcrypt_openssl.so %{_libdir}/dovecot/libdcrypt_openssl.so
%dir %{_libdir}/dovecot/settings %dir %{_libdir}/dovecot/settings
@ -487,6 +484,30 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so %{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog %changelog
* Mon Dec 05 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.27-1
- Fixed crash in auth process when auth-policy was configured and
authentication was aborted/failed without a username set.
- director: If two users had different tags but the same hash,
the users may have been redirected to the wrong tag's hosts.
- Index files may have been thought incorrectly lost, causing
"Missing middle file seq=.." to be logged and index rebuild.
This happened more easily with IMAP hibernation enabled.
- Various fixes to restoring state correctly in un-hibernation.
- dovecot.index files were commonly 4 bytes per email too large. This
is because 3 bytes per email were being wasted that could have been
used for IMAP keywords.
- Various fixes to handle dovecot.list.index corruption better.
- lib-fts: Fixed assert-crash in address tokenizer with specific input.
- Fixed assert-crash in HTML to text parsing with specific input
(e.g. for FTS indexing or snippet generation)
- doveadm sync -1: Fixed handling mailbox GUID conflicts.
- sdbox, mdbox: Perform full index rebuild if corruption is detected
inside lib-index, which runs index fsck.
- quota: Don't skip quota checks when moving mails between different
quota roots.
- search: Multiple sequence sets or UID sets in search parameters
weren't handled correctly. They were incorrectly merged together.
* Fri Dec 02 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-2 * Fri Dec 02 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-2
- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025) - fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025)

View File

@ -1,2 +1,2 @@
85bc42328de41d1eb8d6d3f1db666db8 dovecot-2.2.26.0.tar.gz 20133518f5bc0e64dd07ce55b83df2fb dovecot-2.2.27.tar.gz
e03eed707b39cffc4b2a82867de45d9c dovecot-2.2-pigeonhole-0.4.16.tar.gz e03eed707b39cffc4b2a82867de45d9c dovecot-2.2-pigeonhole-0.4.16.tar.gz