fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025)
This commit is contained in:
parent
621a521183
commit
828b5d8c85
28
dovecot-2.2.26-CVE-2016-8652a.patch
Normal file
28
dovecot-2.2.26-CVE-2016-8652a.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 1f2c35da2b96905bec6e45f88af0f33ee63789e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aki Tuomi <aki.tuomi@dovecot.fi>
|
||||||
|
Date: Wed, 23 Nov 2016 13:16:19 +0200
|
||||||
|
Subject: [PATCH] auth: Fix auth-policy crash when username is NULL
|
||||||
|
|
||||||
|
If SASL request is invalid, or incomplete, and username
|
||||||
|
is left NULL, handle it gracefully by adding just
|
||||||
|
NUL byte in auth policy digest for username.
|
||||||
|
---
|
||||||
|
src/auth/auth-policy.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c
|
||||||
|
index c7faa3c..86b31f1 100755
|
||||||
|
--- a/src/auth/auth-policy.c
|
||||||
|
+++ b/src/auth/auth-policy.c
|
||||||
|
@@ -442,7 +442,10 @@ void auth_policy_create_json(struct policy_lookup_ctx *context,
|
||||||
|
context->set->policy_hash_nonce,
|
||||||
|
strlen(context->set->policy_hash_nonce));
|
||||||
|
/* use +1 to make sure \0 gets included */
|
||||||
|
- digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
|
||||||
|
+ if (context->request->user == NULL)
|
||||||
|
+ digest->loop(ctx, "\0", 1);
|
||||||
|
+ else
|
||||||
|
+ digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
|
||||||
|
if (password != NULL)
|
||||||
|
digest->loop(ctx, password, strlen(password));
|
||||||
|
ptr = (unsigned char*)str_c_modifiable(buffer);
|
64
dovecot-2.2.26-CVE-2016-8652b.patch
Normal file
64
dovecot-2.2.26-CVE-2016-8652b.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From 2c3f37672277b1f73f84722802aaa0ab1ab3e413 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Timo Sirainen <timo.sirainen@dovecot.fi>
|
||||||
|
Date: Wed, 23 Nov 2016 15:57:03 +0200
|
||||||
|
Subject: [PATCH] auth: Don't crash expanding %variables when username isn't
|
||||||
|
set.
|
||||||
|
|
||||||
|
This continues the auth-policy fix in
|
||||||
|
c3d3faa4f72a676e183f34be960cff13a5a725ae
|
||||||
|
---
|
||||||
|
src/auth/auth-request-var-expand.c | 15 ++++++++-------
|
||||||
|
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c
|
||||||
|
index 4f256c0..a04a4d9 100644
|
||||||
|
--- a/src/auth/auth-request-var-expand.c
|
||||||
|
+++ b/src/auth/auth-request-var-expand.c
|
||||||
|
@@ -72,7 +72,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
|
||||||
|
const unsigned int auth_count =
|
||||||
|
N_ELEMENTS(auth_request_var_expand_static_tab);
|
||||||
|
struct var_expand_table *tab, *ret_tab;
|
||||||
|
- const char *orig_user, *auth_user;
|
||||||
|
+ const char *orig_user, *auth_user, *username;
|
||||||
|
|
||||||
|
if (escape_func == NULL)
|
||||||
|
escape_func = escape_none;
|
||||||
|
@@ -87,10 +87,11 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
|
||||||
|
memcpy(tab, auth_request_var_expand_static_tab,
|
||||||
|
auth_count * sizeof(*tab));
|
||||||
|
|
||||||
|
- tab[0].value = escape_func(auth_request->user, auth_request);
|
||||||
|
- tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
|
||||||
|
+ username = auth_request->user != NULL ? auth_request->user : "";
|
||||||
|
+ tab[0].value = escape_func(username, auth_request);
|
||||||
|
+ tab[1].value = escape_func(t_strcut(username, '@'),
|
||||||
|
auth_request);
|
||||||
|
- tab[2].value = strchr(auth_request->user, '@');
|
||||||
|
+ tab[2].value = strchr(username, '@');
|
||||||
|
if (tab[2].value != NULL)
|
||||||
|
tab[2].value = escape_func(tab[2].value+1, auth_request);
|
||||||
|
tab[3].value = escape_func(auth_request->service, auth_request);
|
||||||
|
@@ -138,12 +139,12 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
|
||||||
|
tab[20].value = net_ip2addr(&auth_request->real_remote_ip);
|
||||||
|
tab[21].value = dec2str(auth_request->real_local_port);
|
||||||
|
tab[22].value = dec2str(auth_request->real_remote_port);
|
||||||
|
- tab[23].value = strchr(auth_request->user, '@');
|
||||||
|
+ tab[23].value = strchr(username, '@');
|
||||||
|
if (tab[23].value != NULL) {
|
||||||
|
tab[23].value = escape_func(t_strcut(tab[23].value+1, '@'),
|
||||||
|
auth_request);
|
||||||
|
}
|
||||||
|
- tab[24].value = strrchr(auth_request->user, '@');
|
||||||
|
+ tab[24].value = strrchr(username, '@');
|
||||||
|
if (tab[24].value != NULL)
|
||||||
|
tab[24].value = escape_func(tab[24].value+1, auth_request);
|
||||||
|
tab[25].value = auth_request->master_user == NULL ? NULL :
|
||||||
|
@@ -152,7 +153,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
|
||||||
|
dec2str(auth_request->session_pid);
|
||||||
|
|
||||||
|
orig_user = auth_request->original_username != NULL ?
|
||||||
|
- auth_request->original_username : auth_request->user;
|
||||||
|
+ auth_request->original_username : username;
|
||||||
|
tab[27].value = escape_func(orig_user, auth_request);
|
||||||
|
tab[28].value = escape_func(t_strcut(orig_user, '@'), auth_request);
|
||||||
|
tab[29].value = strchr(orig_user, '@');
|
11
dovecot.spec
11
dovecot.spec
@ -5,7 +5,7 @@ Name: dovecot
|
|||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.2.26.0
|
Version: 2.2.26.0
|
||||||
%global prever %{nil}
|
%global prever %{nil}
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
|
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
|
||||||
License: MIT and LGPLv2
|
License: MIT and LGPLv2
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -34,6 +34,10 @@ Patch7: dovecot-2.2.13-online.patch
|
|||||||
Patch8: dovecot-2.2.20-initbysystemd.patch
|
Patch8: dovecot-2.2.20-initbysystemd.patch
|
||||||
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
|
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
|
||||||
|
|
||||||
|
# 2x from upstream, for dovecot < 2.2.27, rhbz#1401025
|
||||||
|
Patch10: dovecot-2.2.26-CVE-2016-8652a.patch
|
||||||
|
Patch11: dovecot-2.2.26-CVE-2016-8652b.patch
|
||||||
|
|
||||||
Source15: prestartscript
|
Source15: prestartscript
|
||||||
|
|
||||||
BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
|
BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
|
||||||
@ -129,6 +133,8 @@ This package provides the development files for dovecot.
|
|||||||
%patch7 -p1 -b .online
|
%patch7 -p1 -b .online
|
||||||
%patch8 -p1 -b .initbysystemd
|
%patch8 -p1 -b .initbysystemd
|
||||||
%patch9 -p1 -b .systemd_w_protectsystem
|
%patch9 -p1 -b .systemd_w_protectsystem
|
||||||
|
%patch10 -p1 -b .CVE-2016-8652a
|
||||||
|
%patch11 -p1 -b .CVE-2016-8652b
|
||||||
#pushd dovecot-2*2-pigeonhole-%{pigeonholever}
|
#pushd dovecot-2*2-pigeonhole-%{pigeonholever}
|
||||||
#popd
|
#popd
|
||||||
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
|
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
|
||||||
@ -481,6 +487,9 @@ make check
|
|||||||
%{_libdir}/%{name}/dict/libdriver_pgsql.so
|
%{_libdir}/%{name}/dict/libdriver_pgsql.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 02 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-2
|
||||||
|
- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025)
|
||||||
|
|
||||||
* Mon Oct 31 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-1
|
* Mon Oct 31 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-1
|
||||||
- dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16
|
- dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16
|
||||||
- master process's listener socket was leaked to all child processes.
|
- master process's listener socket was leaked to all child processes.
|
||||||
|
Loading…
Reference in New Issue
Block a user