fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025)

dovecot-2.2.26-CVE-2016-8652a.patch

@@ -0,0 +1,28 @@
+From 1f2c35da2b96905bec6e45f88af0f33ee63789e6 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@dovecot.fi>
+Date: Wed, 23 Nov 2016 13:16:19 +0200
+Subject: [PATCH] auth: Fix auth-policy crash when username is NULL
+
+If SASL request is invalid, or incomplete, and username
+is left NULL, handle it gracefully by adding just
+NUL byte in auth policy digest for username.
+---
+ src/auth/auth-policy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c
+index c7faa3c..86b31f1 100755
+--- a/src/auth/auth-policy.c
++++ b/src/auth/auth-policy.c
+@@ -442,7 +442,10 @@ void auth_policy_create_json(struct policy_lookup_ctx *context,
+ 		context->set->policy_hash_nonce,
+ 		strlen(context->set->policy_hash_nonce));
+ 	/* use +1 to make sure \0 gets included */
+-	digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
++	if (context->request->user == NULL)
++		digest->loop(ctx, "\0", 1);
++	else
++		digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
+ 	if (password != NULL)
+ 		digest->loop(ctx, password, strlen(password));
+ 	ptr = (unsigned char*)str_c_modifiable(buffer);

dovecot-2.2.26-CVE-2016-8652b.patch

@@ -0,0 +1,64 @@
+From 2c3f37672277b1f73f84722802aaa0ab1ab3e413 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@dovecot.fi>
+Date: Wed, 23 Nov 2016 15:57:03 +0200
+Subject: [PATCH] auth: Don't crash expanding %variables when username isn't
+ set.
+
+This continues the auth-policy fix in
+c3d3faa4f72a676e183f34be960cff13a5a725ae
+---
+ src/auth/auth-request-var-expand.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c
+index 4f256c0..a04a4d9 100644
+--- a/src/auth/auth-request-var-expand.c
++++ b/src/auth/auth-request-var-expand.c
+@@ -72,7 +72,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
+ 	const unsigned int auth_count =
+ 		N_ELEMENTS(auth_request_var_expand_static_tab);
+ 	struct var_expand_table *tab, *ret_tab;
+-	const char *orig_user, *auth_user;
++	const char *orig_user, *auth_user, *username;
+ 
+ 	if (escape_func == NULL)
+ 		escape_func = escape_none;
+@@ -87,10 +87,11 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
+ 	memcpy(tab, auth_request_var_expand_static_tab,
+ 	       auth_count * sizeof(*tab));
+ 
+-	tab[0].value = escape_func(auth_request->user, auth_request);
+-	tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
++	username = auth_request->user != NULL ? auth_request->user : "";
++	tab[0].value = escape_func(username, auth_request);
++	tab[1].value = escape_func(t_strcut(username, '@'),
+ 				   auth_request);
+-	tab[2].value = strchr(auth_request->user, '@');
++	tab[2].value = strchr(username, '@');
+ 	if (tab[2].value != NULL)
+ 		tab[2].value = escape_func(tab[2].value+1, auth_request);
+ 	tab[3].value = escape_func(auth_request->service, auth_request);
+@@ -138,12 +139,12 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
+ 		tab[20].value = net_ip2addr(&auth_request->real_remote_ip);
+ 	tab[21].value = dec2str(auth_request->real_local_port);
+ 	tab[22].value = dec2str(auth_request->real_remote_port);
+-	tab[23].value = strchr(auth_request->user, '@');
++	tab[23].value = strchr(username, '@');
+ 	if (tab[23].value != NULL) {
+ 		tab[23].value = escape_func(t_strcut(tab[23].value+1, '@'),
+ 					    auth_request);
+ 	}
+-	tab[24].value = strrchr(auth_request->user, '@');
++	tab[24].value = strrchr(username, '@');
+ 	if (tab[24].value != NULL)
+ 		tab[24].value = escape_func(tab[24].value+1, auth_request);
+ 	tab[25].value = auth_request->master_user == NULL ? NULL :
+@@ -152,7 +153,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
+ 		dec2str(auth_request->session_pid);
+ 
+ 	orig_user = auth_request->original_username != NULL ?
+-		auth_request->original_username : auth_request->user;
++		auth_request->original_username : username;
+ 	tab[27].value = escape_func(orig_user, auth_request);
+ 	tab[28].value = escape_func(t_strcut(orig_user, '@'), auth_request);
+ 	tab[29].value = strchr(orig_user, '@');

dovecot.spec

@@ -5,7 +5,7 @@ Name: dovecot
 Epoch: 1
 Version: 2.2.26.0
 %global prever %{nil}
-Release: 1%{?dist}
+Release: 2%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 Group: System Environment/Daemons
@@ -34,6 +34,10 @@ Patch7: dovecot-2.2.13-online.patch
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
 
+# 2x from upstream, for dovecot < 2.2.27, rhbz#1401025
+Patch10: dovecot-2.2.26-CVE-2016-8652a.patch
+Patch11: dovecot-2.2.26-CVE-2016-8652b.patch
+
 Source15: prestartscript
 
 BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
@@ -129,6 +133,8 @@ This package provides the development files for dovecot.
 %patch7 -p1 -b .online
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
+%patch10 -p1 -b .CVE-2016-8652a
+%patch11 -p1 -b .CVE-2016-8652b
 #pushd dovecot-2*2-pigeonhole-%{pigeonholever}
 #popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
@@ -481,6 +487,9 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Fri Dec 02 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-2
+- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025)
+
 * Mon Oct 31 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-1
 - dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16
 - master process's listener socket was leaked to all child processes.