fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process

2015-04-28 15:43:34 +02:00 · 2015-04-28 15:43:34 +02:00 · 51f4fff5f1
commit 51f4fff5f1
parent 907076b191
2 changed files with 70 additions and 1 deletions
--- a/dovecot-2.1.6-86f535375750.patch
+++ b/dovecot-2.1.6-86f535375750.patch
@ -0,0 +1,62 @@
+
+# HG changeset patch
+# User Timo Sirainen <tss@iki.fi>
+# Date 1430213224 -7200
+# Node ID 86f5353757500a8c53aa708282bbdd77ac270011
+# Parent  a2d342257b25e10e7c6c1aaade9e49d22d849c05
+*-login: Don't try to flush SSL output if SSL handshake fails.
+This fixes a crash on failed handshakes on some OpenSSL builds.
+
+diff -r a2d342257b25 -r 86f535375750 src/login-common/ssl-proxy-openssl.c
+--- a/src/login-common/ssl-proxy-openssl.c	Sat Apr 25 12:16:07 2015 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Tue Apr 28 11:27:04 2015 +0200
+@@ -80,6 +80,7 @@
+ 	unsigned int cert_broken:1;
+ 	unsigned int client_proxy:1;
+ 	unsigned int flushing:1;
+	unsigned int failed:1;
+ };
+ 
+ struct ssl_parameters {
+@@ -131,6 +132,12 @@
+ static int ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set);
+ #endif
+ 
+static void ssl_proxy_destroy_failed(struct ssl_proxy *proxy)
+{
+	proxy->failed = TRUE;
+	ssl_proxy_destroy(proxy);
+}
+
+ static unsigned int ssl_server_context_hash(const struct ssl_server_context *ctx)
+ {
+ 	unsigned int i, g, h = 0;
+@@ -462,7 +469,7 @@
+ 
+ 	if (errstr != NULL) {
+ 		proxy->last_error = i_strdup(errstr);
+-		ssl_proxy_destroy(proxy);
+		ssl_proxy_destroy_failed(proxy);
+ 	}
+ 	ssl_proxy_unref(proxy);
+ }
+@@ -492,7 +499,7 @@
+ 
+ 	if (proxy->handshake_callback != NULL) {
+ 		if (proxy->handshake_callback(proxy->handshake_context) < 0)
+-			ssl_proxy_destroy(proxy);
+			ssl_proxy_destroy_failed(proxy);
+ 	}
+ }
+ 
+@@ -822,7 +829,8 @@
+ 	if (proxy->destroyed || proxy->flushing)
+ 		return;
+ 	proxy->flushing = TRUE;
+-	ssl_proxy_flush(proxy);
+	if (!proxy->failed && proxy->handshaked)
+		ssl_proxy_flush(proxy);
+ 	proxy->destroyed = TRUE;
+ 
+ 	ssl_proxy_count--;
+
--- a/dovecot.spec
+++ b/dovecot.spec
@ -5,7 +5,7 @@ Name: dovecot
 Epoch: 1
 Version: 2.2.16
 %global prever %{nil}
-Release: 1%{?dist}
+Release: 2%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 Group: System Environment/Daemons
@ -37,6 +37,9 @@ Patch5: dovecot-2.1-privatetmp.patch
 Patch6: dovecot-2.1.10-waitonline.patch
 Patch7: dovecot-2.2.13-online.patch

+# for dovecot <= 2.2.16, rhbz#1216057
+Patch8: dovecot-2.1.6-86f535375750.patch
+
 Source15: prestartscript

 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -133,6 +136,7 @@ This package provides the development files for dovecot.
 %patch5 -p1 -b .privatetmp
 %patch6 -p1 -b .waitonline
 %patch7 -p1 -b .online
+%patch8 -p1 -b .86f535375750
 #pushd dovecot-2*2-pigeonhole-%{pigeonholever}
 #popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
@ -492,6 +496,9 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
+* Tue Apr 28 2015 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.16-2
+- fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process
+
 * Mon Mar 16 2015 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.16-1
 - dovecot updated to 2.2.16
 - auth: Don't crash if master user login is attempted without