diff --git a/.dovecot.metadata b/.dovecot.metadata deleted file mode 100644 index 99acbac..0000000 --- a/.dovecot.metadata +++ /dev/null @@ -1,2 +0,0 @@ -4673c244c6ea73ee3da0bb61d0206a1fe3d0be0e SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz -b5c598ae8b9901bfabdf2c93271f57cde0bde73e SOURCES/dovecot-2.3.16.tar.gz diff --git a/.gitignore b/.gitignore index 465afeb..fb30715 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz -SOURCES/dovecot-2.3.16.tar.gz +dovecot-2.3-pigeonhole-0.5.21.tar.gz +dovecot-2.3.21.tar.gz diff --git a/SOURCES/dovecot-2.1.10-waitonline.patch b/SOURCES/dovecot-2.1.10-waitonline.patch deleted file mode 100644 index af3ce19..0000000 --- a/SOURCES/dovecot-2.1.10-waitonline.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in ---- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200 -+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200 -@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar - - [Service] - Type=@systemdservicetype@ -+ExecStartPre=/usr/libexec/dovecot/prestartscript - ExecStart=@sbindir@/dovecot -F - ExecReload=@bindir@/doveadm reload - ExecStop=@bindir@/doveadm stop diff --git a/SOURCES/dovecot-2.2.36-aclfix.patch b/SOURCES/dovecot-2.2.36-aclfix.patch deleted file mode 100644 index 1288b7b..0000000 --- a/SOURCES/dovecot-2.2.36-aclfix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c ---- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix 2018-09-18 15:00:08.778823903 +0200 -+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c 2018-09-18 15:00:08.814823737 +0200 -@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl - T_BEGIN { - if (*name == '\0' || - mailbox_list_is_valid_name(_backend->list, name, &error)) { -- vname = *name == '\0' ? "" : -- mailbox_list_get_vname(_backend->list, name); -+ vname = mailbox_list_get_vname(_backend->list, name); - - dir = acl_backend_vfile_get_local_dir(_backend, name, vname); - aclobj->local_path = dir == NULL ? NULL : diff --git a/SOURCES/dovecot-2.3.16-d7705bc6.patch b/SOURCES/dovecot-2.3.16-d7705bc6.patch deleted file mode 100644 index 4884806..0000000 --- a/SOURCES/dovecot-2.3.16-d7705bc6.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/src/lib-index/mail-index-sync.c b/src/lib-index/mail-index-sync.c -index 6322ee1869..c847f1cc01 100644 ---- a/src/lib-index/mail-index-sync.c -+++ b/src/lib-index/mail-index-sync.c -@@ -544,6 +544,12 @@ static bool mail_index_sync_view_have_any(struct mail_index_view *view, - return TRUE; - - mail_transaction_log_get_head(view->index->log, &log_seq, &log_offset); -+ if (log_seq < view->map->hdr.log_file_seq || -+ ((log_seq == view->map->hdr.log_file_seq && -+ log_offset < view->map->hdr.log_file_tail_offset))) { -+ /* invalid offsets - let the syncing handle the error */ -+ return TRUE; -+ } - if (mail_transaction_log_view_set(view->log_view, - view->map->hdr.log_file_seq, - view->map->hdr.log_file_tail_offset, diff --git a/SOURCES/dovecot-2.3.16-ftbfsbigend.patch b/SOURCES/dovecot-2.3.16-ftbfsbigend.patch deleted file mode 100644 index 762503b..0000000 --- a/SOURCES/dovecot-2.3.16-ftbfsbigend.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit ec4595097067a736717ef202fe8542b1b4bc2dd5 -Author: Timo Sirainen -Date: Tue Aug 10 12:22:08 2021 +0300 - - lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs - -diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c -index e929fb559d..429e0d234c 100644 ---- a/src/lib-index/mail-cache-fields.c -+++ b/src/lib-index/mail-cache-fields.c -@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest, - } - } - -+static void -+copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new) -+{ -+ size_t offset = offsetof(struct mail_cache_field, last_used); -+#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8 -+ /* 64bit time_t with big endian CPUs: copy the last 32 bits instead of -+ the first 32 bits (that are always 0). The 32 bits are enough until -+ year 2106, so we're not in a hurry to use 64 bits on disk. */ -+ offset += sizeof(uint32_t); -+#endif -+ copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t)); -+} -+ - static int mail_cache_header_fields_update_locked(struct mail_cache *cache) - { - buffer_t *buffer; -@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache) - - buffer = t_buffer_create(256); - -- copy_to_buf(cache, buffer, FALSE, -- offsetof(struct mail_cache_field, last_used), -- sizeof(uint32_t)); -+ copy_to_buf_last_used(cache, buffer, FALSE); - ret = mail_cache_write(cache, buffer->data, buffer->used, - offset + MAIL_CACHE_FIELD_LAST_USED()); - if (ret == 0) { -@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest) - buffer_append(dest, &hdr, sizeof(hdr)); - - /* we have to keep the field order for the existing fields. */ -- copy_to_buf(cache, dest, TRUE, -- offsetof(struct mail_cache_field, last_used), -- sizeof(uint32_t)); -+ copy_to_buf_last_used(cache, dest, TRUE); - copy_to_buf(cache, dest, TRUE, - offsetof(struct mail_cache_field, field_size), - sizeof(uint32_t)); - diff --git a/SOURCES/dovecot-2.3.16-keeplzma.patch b/SOURCES/dovecot-2.3.16-keeplzma.patch deleted file mode 100644 index b43c7b8..0000000 --- a/SOURCES/dovecot-2.3.16-keeplzma.patch +++ /dev/null @@ -1,353 +0,0 @@ -diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac ---- dovecot-2.3.16/configure.ac.keeplzma 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/configure.ac 2022-02-28 13:58:02.337149927 +0100 -@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi - want_bzlib=auto) - - AC_ARG_WITH(lzma, --AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]), -+AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]), - TEST_WITH(lzma, $withval), - want_lzma=auto) - -diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp ---- dovecot-2.3.16/run-test-valgrind.supp.keeplzma 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/run-test-valgrind.supp 2022-02-28 13:58:02.337149927 +0100 -@@ -5,6 +5,17 @@ - obj:*/bash - } - { -+ -+ Memcheck:Cond -+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.* -+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.* -+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.* -+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.* -+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.* -+ fun:lzma_stream_encoder -+ fun:lzma_easy_encoder -+} -+{ - - Memcheck:Leak - fun:malloc -diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c ---- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-compression/compression.c 2022-02-28 14:22:32.467944396 +0100 -@@ -25,6 +25,7 @@ - #endif - #ifndef HAVE_LZMA - # define i_stream_create_lzma NULL -+# define o_stream_create_lzma NULL - #endif - #ifndef HAVE_LZ4 - # define i_stream_create_lz4 NULL -@@ -216,7 +217,7 @@ const struct compression_handler compres - .ext = ".xz", - .is_compressed = is_compressed_xz, - .create_istream = i_stream_create_lzma, -- .create_ostream = NULL, -+ .create_ostream = o_stream_create_lzma, - .get_min_level = compression_get_min_level_unsupported, - .get_default_level = compression_get_default_level_unsupported, - .get_max_level = compression_get_max_level_unsupported, -diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am ---- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-compression/Makefile.am 2022-02-28 13:58:02.337149927 +0100 -@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \ - istream-zlib.c \ - istream-bzlib.c \ - istream-zstd.c \ -+ ostream-lzma.c \ - ostream-lz4.c \ - ostream-zlib.c \ - ostream-bzlib.c \ -diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c ---- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma 2022-02-28 13:58:02.338149934 +0100 -+++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c 2022-02-28 13:58:02.338149934 +0100 -@@ -0,0 +1,263 @@ -+/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */ -+ -+#include "lib.h" -+ -+#ifdef HAVE_LZMA -+ -+#include "ostream-private.h" -+#include "ostream-zlib.h" -+#include -+ -+#define CHUNK_SIZE (1024*64) -+ -+struct lzma_ostream { -+ struct ostream_private ostream; -+ lzma_stream strm; -+ -+ unsigned char outbuf[CHUNK_SIZE]; -+ unsigned int outbuf_offset, outbuf_used; -+ -+ bool flushed:1; -+}; -+ -+static void o_stream_lzma_close(struct iostream_private *stream, -+ bool close_parent) -+{ -+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream; -+ i_assert(zstream->ostream.finished || -+ zstream->ostream.ostream.stream_errno != 0 || -+ zstream->ostream.error_handling_disabled); -+ lzma_end(&zstream->strm); -+ if (close_parent) -+ o_stream_close(zstream->ostream.parent); -+} -+ -+static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream) -+{ -+ ssize_t ret; -+ size_t size; -+ -+ if (zstream->outbuf_used == 0) -+ return 1; -+ -+ size = zstream->outbuf_used - zstream->outbuf_offset; -+ i_assert(size > 0); -+ ret = o_stream_send(zstream->ostream.parent, -+ zstream->outbuf + zstream->outbuf_offset, size); -+ if (ret < 0) { -+ o_stream_copy_error_from_parent(&zstream->ostream); -+ return -1; -+ } -+ if ((size_t)ret != size) { -+ zstream->outbuf_offset += ret; -+ return 0; -+ } -+ zstream->outbuf_offset = 0; -+ zstream->outbuf_used = 0; -+ return 1; -+} -+ -+static ssize_t -+o_stream_lzma_send_chunk(struct lzma_ostream *zstream, -+ const void *data, size_t size) -+{ -+ lzma_stream *zs = &zstream->strm; -+ int ret; -+ -+ i_assert(zstream->outbuf_used == 0); -+ -+ zs->next_in = (void *)data; -+ zs->avail_in = size; -+ while (zs->avail_in > 0) { -+ if (zs->avail_out == 0) { -+ /* previous block was compressed. send it and start -+ compression for a new block. */ -+ zs->next_out = zstream->outbuf; -+ zs->avail_out = sizeof(zstream->outbuf); -+ -+ zstream->outbuf_used = sizeof(zstream->outbuf); -+ if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0) -+ return -1; -+ if (ret == 0) { -+ /* parent stream's buffer full */ -+ break; -+ } -+ } -+ -+ ret = lzma_code(zs, LZMA_RUN); -+ switch (ret) { -+ case LZMA_OK: -+ break; -+ case LZMA_MEM_ERROR: -+ i_fatal_status(FATAL_OUTOFMEM, -+ "lzma.write(%s): Out of memory", -+ o_stream_get_name(&zstream->ostream.ostream)); -+ default: -+ i_panic("lzma.write(%s) failed with unexpected code %d", -+ o_stream_get_name(&zstream->ostream.ostream), ret); -+ } -+ } -+ size -= zs->avail_in; -+ -+ return size; -+} -+ -+static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final) -+{ -+ lzma_stream *zs = &zstream->strm; -+ size_t len; -+ bool done = FALSE; -+ int ret; -+ -+ i_assert(zs->avail_in == 0); -+ -+ if (zstream->flushed) { -+ i_assert(zstream->outbuf_used == 0); -+ return 1; -+ } -+ -+ if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0) -+ return ret; -+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) -+ return ret; -+ -+ if (!final) -+ return 1; -+ -+ i_assert(zstream->outbuf_used == 0); -+ do { -+ len = sizeof(zstream->outbuf) - zs->avail_out; -+ if (len != 0) { -+ zs->next_out = zstream->outbuf; -+ zs->avail_out = sizeof(zstream->outbuf); -+ -+ zstream->outbuf_used = len; -+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) -+ return ret; -+ if (done) -+ break; -+ } -+ ret = lzma_code(zs, LZMA_FINISH); -+ switch (ret) { -+ case LZMA_OK: -+ /* still unfinished - need to call lzma_code() again */ -+ break; -+ case LZMA_STREAM_END: -+ /* output is fully finished */ -+ done = TRUE; -+ break; -+ case LZMA_MEM_ERROR: -+ i_fatal_status(FATAL_OUTOFMEM, -+ "lzma.write(%s): Out of memory", -+ o_stream_get_name(&zstream->ostream.ostream)); -+ default: -+ i_panic("lzma.write(%s) flush failed with unexpected code %d", -+ o_stream_get_name(&zstream->ostream.ostream), ret); -+ } -+ } while (zs->avail_out != sizeof(zstream->outbuf)); -+ -+ if (final) -+ zstream->flushed = TRUE; -+ i_assert(zstream->outbuf_used == 0); -+ return 1; -+} -+ -+static int o_stream_lzma_flush(struct ostream_private *stream) -+{ -+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream; -+ int ret; -+ -+ if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0) -+ return -1; -+ else if (ret > 0) -+ return o_stream_flush_parent(stream); -+ return ret; -+} -+ -+static size_t -+o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream) -+{ -+ const struct lzma_ostream *zstream = -+ (const struct lzma_ostream *)stream; -+ -+ /* outbuf has already compressed data that we're trying to send to the -+ parent stream. We're not including lzma's internal compression -+ buffer size. */ -+ return (zstream->outbuf_used - zstream->outbuf_offset) + -+ o_stream_get_buffer_used_size(stream->parent); -+} -+ -+static size_t -+o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream) -+{ -+ /* FIXME: not correct - this is counting compressed size, which may be -+ too larger than uncompressed size in some situations. Fixing would -+ require some kind of additional buffering. */ -+ return o_stream_get_buffer_avail_size(stream->parent); -+} -+ -+static ssize_t -+o_stream_lzma_sendv(struct ostream_private *stream, -+ const struct const_iovec *iov, unsigned int iov_count) -+{ -+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream; -+ ssize_t ret, bytes = 0; -+ unsigned int i; -+ -+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) { -+ /* error / we still couldn't flush existing data to -+ parent stream. */ -+ return ret; -+ } -+ -+ for (i = 0; i < iov_count; i++) { -+ ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base, -+ iov[i].iov_len); -+ if (ret < 0) -+ return -1; -+ bytes += ret; -+ if ((size_t)ret != iov[i].iov_len) -+ break; -+ } -+ stream->ostream.offset += bytes; -+ -+ /* avail_in!=0 check is used to detect errors. if it's non-zero here -+ it simply means we didn't send all the data */ -+ zstream->strm.avail_in = 0; -+ return bytes; -+} -+ -+struct ostream *o_stream_create_lzma(struct ostream *output, int level) -+{ -+ struct lzma_ostream *zstream; -+ lzma_ret ret; -+ -+ i_assert(level >= 1 && level <= 9); -+ -+ zstream = i_new(struct lzma_ostream, 1); -+ zstream->ostream.sendv = o_stream_lzma_sendv; -+ zstream->ostream.flush = o_stream_lzma_flush; -+ zstream->ostream.get_buffer_used_size = -+ o_stream_lzma_get_buffer_used_size; -+ zstream->ostream.get_buffer_avail_size = -+ o_stream_lzma_get_buffer_avail_size; -+ zstream->ostream.iostream.close = o_stream_lzma_close; -+ -+ ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64); -+ switch (ret) { -+ case LZMA_OK: -+ break; -+ case LZMA_MEM_ERROR: -+ i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory"); -+ case LZMA_OPTIONS_ERROR: -+ i_fatal("lzma: Invalid level"); -+ default: -+ i_fatal("lzma_easy_encoder() failed with %d", ret); -+ } -+ -+ zstream->strm.next_out = zstream->outbuf; -+ zstream->strm.avail_out = sizeof(zstream->outbuf); -+ return o_stream_create(&zstream->ostream, output, -+ o_stream_get_fd(output)); -+} -+#endif -diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h ---- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h 2022-02-28 13:58:02.338149934 +0100 -@@ -4,6 +4,7 @@ - struct ostream *o_stream_create_gz(struct ostream *output, int level); - struct ostream *o_stream_create_deflate(struct ostream *output, int level); - struct ostream *o_stream_create_bz2(struct ostream *output, int level); -+struct ostream *o_stream_create_lzma(struct ostream *output, int level); - struct ostream *o_stream_create_lz4(struct ostream *output, int level); - struct ostream *o_stream_create_zstd(struct ostream *output, int level); - -diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c ---- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-compression/test-compression.c 2022-02-28 13:58:02.338149934 +0100 -@@ -730,7 +730,6 @@ static void test_compression_int(bool au - - for (i = 0; compression_handlers[i].name != NULL; i++) { - if (compression_handlers[i].create_istream != NULL && -- compression_handlers[i].create_ostream != NULL && - (!autodetect || - compression_handlers[i].is_compressed != NULL)) T_BEGIN { - if (compression_handlers[i].is_compressed != NULL && diff --git a/SOURCES/dovecot-2.3.18-9f300239..4596d399.patch b/SOURCES/dovecot-2.3.18-9f300239..4596d399.patch deleted file mode 100644 index 18bd47d..0000000 --- a/SOURCES/dovecot-2.3.18-9f300239..4596d399.patch +++ /dev/null @@ -1,578 +0,0 @@ -From 9f3002393fe1c1fe317121d03591569dac120739 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Tue, 17 Aug 2021 19:09:13 +0200 -Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug - message. - ---- - src/lib-sieve/sieve-interpreter.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c -index 9ee6c659..274e142d 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c -@@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp, - } - e_debug(e->event(), "Finished running script `%s' " - "(status=%s, resource usage: %s)", -- sieve_execution_exitcode_to_str(ret), - sieve_binary_source(interp->runenv.sbin), -+ sieve_execution_exitcode_to_str(ret), - sieve_resource_usage_get_summary(&interp->rusage)); - interp->running = FALSE; - } - -From 54e020c1212f626049bffc6c6fea8e606a893af2 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 01:44:23 +0200 -Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from - sieve_result_implicit_keep_execute(). - ---- - src/lib-sieve/sieve-result.c | 18 ++++++++---------- - 1 file changed, 8 insertions(+), 10 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 55eb9f54..d3f2f925 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec) - } - - static void --sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec, -- bool success) -+sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) - { - const struct sieve_action_exec_env *aenv = &rexec->action_env; - struct sieve_result *result = aenv->result; -@@ -1486,6 +1485,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec, - struct sieve_action_execution *aexec_keep = &rexec->keep; - struct sieve_result_action *ract_keep = &rexec->keep_action; - struct sieve_action *act_keep = &ract_keep->action; -+ bool success = (rexec->status == SIEVE_EXEC_OK); - - if (rexec->keep_equiv_action != NULL) { - e_debug(rexec->event, "No implicit keep needed " -@@ -1579,8 +1579,8 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec, - } - } - -- e_debug(rexec->event, "Execute implicit keep (failure=%s)", -- (!success ? "yes" : "no")); -+ e_debug(rexec->event, "Execute implicit keep (status=%s)", -+ sieve_execution_exitcode_to_str(rexec->status)); - - /* Initialize side effects */ - sieve_action_execution_add_side_effects(rexec, aexec_keep, ract_keep); -@@ -1633,7 +1633,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec, - /* Start keep if necessary */ - if (act_keep->def == NULL || - aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) { -- sieve_result_implicit_keep_execute(rexec, success); -+ sieve_result_implicit_keep_execute(rexec); - /* Switch to failure keep if necessary. */ - } else if (rexec->keep_success && !success){ - e_debug(rexec->event, "Switch to failure implicit keep"); -@@ -1645,7 +1645,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec, - i_zero(aexec_keep); - - /* Start failure keep action. */ -- sieve_result_implicit_keep_execute(rexec, success); -+ sieve_result_implicit_keep_execute(rexec); - } - if (act_keep->def == NULL) - return rexec->keep_status; -@@ -1931,10 +1931,8 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status, - /* Execute implicit keep if the transaction failed or when the - implicit keep was not canceled during transaction. - */ -- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) { -- sieve_result_implicit_keep_execute( -- rexec, (rexec->status == SIEVE_EXEC_OK)); -- } -+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) -+ sieve_result_implicit_keep_execute(rexec); - } - - /* Transaction commit/rollback */ - -From 291f2fdb77b86db566dca7c028dd93fc741f6b31 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 01:40:57 +0200 -Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from - sieve_result_implicit_keep_finalize(). - ---- - src/lib-sieve/sieve-result.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index d3f2f925..3cf2c02a 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) - } - - static int --sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec, -- bool success) -+sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - { - const struct sieve_action_exec_env *aenv = &rexec->action_env; - const struct sieve_execute_env *eenv = aenv->exec_env; -@@ -1612,6 +1611,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec, - struct sieve_result_action *ract_keep = &rexec->keep_action; - struct sieve_action *act_keep = &ract_keep->action; - int commit_status = SIEVE_EXEC_OK; -+ bool success = (rexec->status == SIEVE_EXEC_OK); - - if (rexec->keep_equiv_action != NULL) { - struct sieve_action_execution *ke_aexec = -@@ -1627,8 +1627,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec, - return rexec->keep_status; - } - -- e_debug(rexec->event, "Finalize implicit keep (failure=%s)", -- (!success ? "yes" : "no")); -+ e_debug(rexec->event, "Finalize implicit keep (status=%s)", -+ sieve_execution_exitcode_to_str(rexec->status)); - - /* Start keep if necessary */ - if (act_keep->def == NULL || -@@ -1950,8 +1950,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status, - implicit keep was not canceled during transaction. - */ - if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) { -- ret = sieve_result_implicit_keep_finalize( -- rexec, (rexec->status == SIEVE_EXEC_OK)); -+ ret = sieve_result_implicit_keep_finalize(rexec); - switch (ret) { - case SIEVE_EXEC_OK: - if (result_status == SIEVE_EXEC_TEMP_FAILURE) - -From 10e347e3c9eb5e7bf5bc6f178389005357f527fe Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 02:07:01 +0200 -Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status - checks into sieve_result_implicit_keep_execute(). - ---- - src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------ - 1 file changed, 26 insertions(+), 12 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 3cf2c02a..44afeef7 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -934,6 +934,7 @@ struct sieve_result_execution { - bool keep_success:1; - bool keep_explicit:1; - bool keep_implicit:1; -+ bool keep_finalizing:1; - bool seen_delivery:1; - bool executed:1; - bool executed_delivery:1; -@@ -1485,7 +1486,24 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) - struct sieve_action_execution *aexec_keep = &rexec->keep; - struct sieve_result_action *ract_keep = &rexec->keep_action; - struct sieve_action *act_keep = &ract_keep->action; -- bool success = (rexec->status == SIEVE_EXEC_OK); -+ bool success = FALSE; -+ -+ switch (rexec->status) { -+ case SIEVE_EXEC_OK: -+ success = TRUE; -+ break; -+ case SIEVE_EXEC_TEMP_FAILURE: -+ case SIEVE_EXEC_RESOURCE_LIMIT: -+ if (rexec->executed) -+ break; -+ if (rexec->committed) -+ break; -+ if (rexec->keep_finalizing) -+ break; -+ return; -+ default: -+ break; -+ } - - if (rexec->keep_equiv_action != NULL) { - e_debug(rexec->event, "No implicit keep needed " -@@ -1630,6 +1648,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - e_debug(rexec->event, "Finalize implicit keep (status=%s)", - sieve_execution_exitcode_to_str(rexec->status)); - -+ rexec->keep_finalizing = TRUE; -+ - /* Start keep if necessary */ - if (act_keep->def == NULL || - aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) { -@@ -1923,17 +1943,11 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status, - return rexec->status; - } - -- /* Execute implicit keep if necessary */ -- -- if (rexec->executed || -- (rexec->status != SIEVE_EXEC_TEMP_FAILURE && -- rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) { -- /* Execute implicit keep if the transaction failed or when the -- implicit keep was not canceled during transaction. -- */ -- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) -- sieve_result_implicit_keep_execute(rexec); -- } -+ /* Execute implicit keep if the transaction failed or when the -+ implicit keep was not canceled during transaction. -+ */ -+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) -+ sieve_result_implicit_keep_execute(rexec); - - /* Transaction commit/rollback */ - - -From c84e6e5d8d1d8b03a0ba5958804d200c6e1916d8 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 02:26:32 +0200 -Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status - checks into sieve_result_implicit_keep_finalize(). - ---- - src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++--------------- - 1 file changed, 33 insertions(+), 23 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 44afeef7..10cc3b95 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - struct sieve_result_action *ract_keep = &rexec->keep_action; - struct sieve_action *act_keep = &ract_keep->action; - int commit_status = SIEVE_EXEC_OK; -- bool success = (rexec->status == SIEVE_EXEC_OK); -+ bool success = FALSE; -+ -+ switch (rexec->status) { -+ case SIEVE_EXEC_OK: -+ success = TRUE; -+ break; -+ case SIEVE_EXEC_TEMP_FAILURE: -+ case SIEVE_EXEC_RESOURCE_LIMIT: -+ if (rexec->committed) -+ break; -+ return rexec->status; -+ default: -+ break; -+ } - - if (rexec->keep_equiv_action != NULL) { - struct sieve_action_execution *ke_aexec = -@@ -1957,32 +1970,29 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status, - /* Commit implicit keep if necessary */ - - result_status = rexec->status; -- if (rexec->committed || -- (rexec->status != SIEVE_EXEC_TEMP_FAILURE && -- rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) { -- /* Commit implicit keep if the transaction failed or when the -- implicit keep was not canceled during transaction. -- */ -- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) { -- ret = sieve_result_implicit_keep_finalize(rexec); -- switch (ret) { -- case SIEVE_EXEC_OK: -- if (result_status == SIEVE_EXEC_TEMP_FAILURE) -- result_status = SIEVE_EXEC_FAILURE; -+ -+ /* Commit implicit keep if the transaction failed or when the -+ implicit keep was not canceled during transaction. -+ */ -+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) { -+ ret = sieve_result_implicit_keep_finalize(rexec); -+ switch (ret) { -+ case SIEVE_EXEC_OK: -+ if (result_status == SIEVE_EXEC_TEMP_FAILURE) -+ result_status = SIEVE_EXEC_FAILURE; -+ break; -+ case SIEVE_EXEC_TEMP_FAILURE: -+ if (!rexec->committed) { -+ result_status = ret; - break; -- case SIEVE_EXEC_TEMP_FAILURE: -- if (!rexec->committed) { -- result_status = ret; -- break; -- } -- /* fall through */ -- default: -- result_status = SIEVE_EXEC_KEEP_FAILED; - } -+ /* fall through */ -+ default: -+ result_status = SIEVE_EXEC_KEEP_FAILED; - } -- if (rexec->status == SIEVE_EXEC_OK) -- rexec->status = result_status; - } -+ if (rexec->status == SIEVE_EXEC_OK) -+ rexec->status = result_status; - - /* Finish execution */ - - -From 92b4b06d5d8deeefdd17d5fb18d7f0d23e8e414b Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 02:46:18 +0200 -Subject: [PATCH 06/12] lib-sieve: sieve-result - Skip implicit keep in - execution stage upon temp failure. - -It will be executed in the commit phase if necessary; don't do it early; it will -only be rolled back. ---- - src/lib-sieve/sieve-result.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 10cc3b95..82354831 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) - break; - case SIEVE_EXEC_TEMP_FAILURE: - case SIEVE_EXEC_RESOURCE_LIMIT: -- if (rexec->executed) -- break; - if (rexec->committed) - break; - if (rexec->keep_finalizing) - -From f2b81cc6ebaa3001bde693f7abdb990f467f7831 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 02:56:32 +0200 -Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource - limit status after implicit keep commit. - ---- - src/lib-sieve/sieve-result.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 82354831..96582075 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status, - result_status = SIEVE_EXEC_FAILURE; - break; - case SIEVE_EXEC_TEMP_FAILURE: -+ case SIEVE_EXEC_RESOURCE_LIMIT: - if (!rexec->committed) { - result_status = ret; - break; - -From 293f0027106a725e4cbcf56b673f1eedda00c317 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 02:54:25 +0200 -Subject: [PATCH 08/12] lib-sieve: sieve-result - Fix resource leak occurring - when implicit keep is executed before temporary failure at commit. - -In the commit phase the implicit keep was never finalized, meaning that it was -not rolled back and thus not cleaned up properly. This leads to a memory leak -and a mailbox reference leak. This in turn causes an assert crash at the end -of delivery when the mail user is destroyed. ---- - src/lib-sieve/sieve-result.c | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 96582075..10ea349c 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - struct sieve_result_action *ract_keep = &rexec->keep_action; - struct sieve_action *act_keep = &ract_keep->action; - int commit_status = SIEVE_EXEC_OK; -- bool success = FALSE; -+ bool success = FALSE, temp_failure = FALSE; - - switch (rexec->status) { - case SIEVE_EXEC_OK: -@@ -1637,7 +1637,15 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - case SIEVE_EXEC_RESOURCE_LIMIT: - if (rexec->committed) - break; -- return rexec->status; -+ -+ if (aexec_keep->state != -+ SIEVE_ACTION_EXECUTION_STATE_EXECUTED) -+ return rexec->status; -+ /* Roll back for temporary failure when no other action -+ is committed. */ -+ commit_status = rexec->status; -+ temp_failure = TRUE; -+ break; - default: - break; - } -@@ -1662,8 +1670,10 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - rexec->keep_finalizing = TRUE; - - /* Start keep if necessary */ -- if (act_keep->def == NULL || -- aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) { -+ if (temp_failure) { -+ rexec->keep_status = rexec->status; -+ } else if (act_keep->def == NULL || -+ aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) { - sieve_result_implicit_keep_execute(rexec); - /* Switch to failure keep if necessary. */ - } else if (rexec->keep_success && !success){ - -From 81bd53d6c9fa14fc6b32304e49dddb8fd022de91 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 13:29:41 +0200 -Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is - executed in sieve_result_implicit_keep_finalize(). - ---- - src/lib-sieve/sieve-result.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 10ea349c..de97d6ae 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - if (act_keep->def == NULL) - return rexec->keep_status; - -+ i_assert(aexec_keep->state == SIEVE_ACTION_EXECUTION_STATE_EXECUTED); -+ - /* Finalize keep action */ - rexec->keep_status = sieve_result_action_commit_or_rollback( - rexec, aexec_keep, rexec->keep_status, &commit_status); - -From dbf5b62ba82766a7d824e81005b2517d96984ef0 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 02:43:05 +0200 -Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp - failure handling. - ---- - src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++--- - 1 file changed, 25 insertions(+), 3 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index de97d6ae..c21c8017 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) - break; - case SIEVE_EXEC_TEMP_FAILURE: - case SIEVE_EXEC_RESOURCE_LIMIT: -- if (rexec->committed) -+ if (rexec->committed) { -+ e_debug(rexec->event, -+ "Temporary failure occurred (status=%s), " -+ "but other actions were already committed: " -+ "execute failure implicit keep", -+ sieve_execution_exitcode_to_str(rexec->status)); - break; -+ } - if (rexec->keep_finalizing) - break; -+ -+ e_debug(rexec->event, -+ "Skip implicit keep for temporary failure " -+ "(state=execute, status=%s)", -+ sieve_execution_exitcode_to_str(rexec->status)); - return; - default: - break; -@@ -1635,12 +1646,23 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) - break; - case SIEVE_EXEC_TEMP_FAILURE: - case SIEVE_EXEC_RESOURCE_LIMIT: -- if (rexec->committed) -+ if (rexec->committed) { -+ e_debug(rexec->event, -+ "Temporary failure occurred (status=%s), " -+ "but other actions were already committed: " -+ "commit failure implicit keep", -+ sieve_execution_exitcode_to_str(rexec->status)); - break; -+ } - - if (aexec_keep->state != -- SIEVE_ACTION_EXECUTION_STATE_EXECUTED) -+ SIEVE_ACTION_EXECUTION_STATE_EXECUTED) { -+ e_debug(rexec->event, -+ "Skip implicit keep for temporary failure " -+ "(state=commit, status=%s)", -+ sieve_execution_exitcode_to_str(rexec->status)); - return rexec->status; -+ } - /* Roll back for temporary failure when no other action - is committed. */ - commit_status = rexec->status; - -From 65d771c15bf443690580dbb0643556794106522b Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 13:26:26 +0200 -Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in - sieve_result_transaction_execute() debug message whether actions were - executed. - ---- - src/lib-sieve/sieve-result.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index c21c8017..6f3cb954 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec, - } - - e_debug(rexec->event, "Finished executing actions " -- "(status=%s, keep=%s)", -+ "(status=%s, keep=%s, executed=%s)", - sieve_execution_exitcode_to_str(status), - (rexec->keep_explicit ? "explicit" : -- (rexec->keep_implicit ? "implicit" : "none"))); -+ (rexec->keep_implicit ? "implicit" : "none")), -+ (rexec->executed ? "yes" : "no")); - return status; - } - - -From 4596d39908a868783fae9a0c2fd264409c0aaa96 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Wed, 18 Aug 2021 13:27:50 +0200 -Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in - sieve_result_transaction_finalize() debug message whether actions were - committed. - ---- - src/lib-sieve/sieve-result.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -index 6f3cb954..effd6f28 100644 ---- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c -@@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback( - } - - e_debug(rexec->event, "Finished finalizing actions " -- "(status=%s, keep=%s)", -+ "(status=%s, keep=%s, committed=%s)", - sieve_execution_exitcode_to_str(status), - (rexec->keep_explicit ? "explicit" : -- (rexec->keep_implicit ? "implicit" : "none"))); -+ (rexec->keep_implicit ? "implicit" : "none")), -+ (rexec->committed ? "yes" : "no")); - - return commit_status; - } diff --git a/SOURCES/dovecot-2.3.18-bdf447e4.patch b/SOURCES/dovecot-2.3.18-bdf447e4.patch deleted file mode 100644 index 4b624b2..0000000 --- a/SOURCES/dovecot-2.3.18-bdf447e4.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bdf4474ed82aaf964e7d94e72ca56b496e3815f9 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Fri, 1 Oct 2021 15:08:45 +0300 -Subject: [PATCH] virtual: Fix leaking mailboxes if virtual mailbox can't be - opened - -Fixes also a crash at deinit: -Panic: file mail-user.c: line 232 (mail_user_deinit): assertion failed: ((*user)->refcount == 1) ---- - src/plugins/virtual/virtual-storage.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/plugins/virtual/virtual-storage.c b/src/plugins/virtual/virtual-storage.c -index 2f31503d53..a0779cc186 100644 ---- a/src/plugins/virtual/virtual-storage.c -+++ b/src/plugins/virtual/virtual-storage.c -@@ -495,12 +495,12 @@ static int virtual_mailbox_open(struct mailbox *box) - ret = virtual_mailboxes_open(mbox, box->flags); - array_pop_back(&mbox->storage->open_stack); - } -+ if (ret == 0) -+ ret = index_storage_mailbox_open(box, FALSE); - if (ret < 0) { - virtual_mailbox_close_internal(mbox); - return -1; - } -- if (index_storage_mailbox_open(box, FALSE) < 0) -- return -1; - - mbox->virtual_ext_id = - mail_index_ext_register(mbox->box.index, "virtual", 0, diff --git a/SOURCES/dovecot-1.0.beta2-mkcert-permissions.patch b/dovecot-1.0.beta2-mkcert-permissions.patch similarity index 100% rename from SOURCES/dovecot-1.0.beta2-mkcert-permissions.patch rename to dovecot-1.0.beta2-mkcert-permissions.patch diff --git a/SOURCES/dovecot-1.0.rc7-mkcert-paths.patch b/dovecot-1.0.rc7-mkcert-paths.patch similarity index 100% rename from SOURCES/dovecot-1.0.rc7-mkcert-paths.patch rename to dovecot-1.0.rc7-mkcert-paths.patch diff --git a/SOURCES/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch similarity index 65% rename from SOURCES/dovecot-2.0-defaultconfig.patch rename to dovecot-2.0-defaultconfig.patch index e3077f5..21f00ec 100644 --- a/SOURCES/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 -@@ -165,7 +165,7 @@ namespace inbox { +diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf +--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 ++++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200 +@@ -175,7 +175,7 @@ namespace inbox { # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. @@ -18,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins -diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 +diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 ++++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200 @@ -3,7 +3,9 @@ ## @@ -32,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but -@@ -57,6 +59,7 @@ ssl_key = script), sieve_script_location(included->script), + ((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""), + ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""), +- include_id, sieve_binary_block_get_id(included->block)); ++ (included->block == NULL ? "(missing) " : ""), ++ include_id, ++ (included->block == NULL ? -1 : sieve_binary_block_get_id(included->block))); + + return TRUE; + } +diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c +--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2023-09-14 15:18:26.000000000 +0200 ++++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2024-06-04 09:10:45.187823805 +0200 +@@ -693,6 +693,25 @@ int ext_include_execute_include(const st + } + + ctx = ext_include_get_interpreter_context(this_ext, renv->interp); ++ if (included->block == NULL) { ++ if ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0) { ++ sieve_runtime_trace( ++ renv, SIEVE_TRLVL_NONE, ++ "include: skipped include for script '%s' " ++ "[inc id: %d, block: NULL]; optional and unavailable", ++ sieve_script_name(included->script), ++ include_id); ++ return result; ++ } else { ++ sieve_runtime_trace( ++ renv, SIEVE_TRLVL_NONE, ++ "include: unavailable script '%s' " ++ "[inc id: %d, block: NULL]", ++ sieve_script_name(included->script), ++ include_id); ++ return SIEVE_EXEC_BIN_CORRUPT; ++ } ++ } + block_id = sieve_binary_block_get_id(included->block); + + /* If :once modifier is specified, check for duplicate include */ diff --git a/dovecot-2.3-ph_scriptcmp.patch b/dovecot-2.3-ph_scriptcmp.patch new file mode 100644 index 0000000..2bcaade --- /dev/null +++ b/dovecot-2.3-ph_scriptcmp.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c +--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 2024-06-03 13:35:24.408858593 +0200 ++++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c 2024-06-03 13:35:24.434858849 +0200 +@@ -800,7 +800,7 @@ static bool sieve_file_script_equals + (struct sieve_file_script *)other; + + return ( CMP_DEV_T(fscript->st.st_dev, fother->st.st_dev) && +- fscript->st.st_ino == fother->st.st_ino ); ++ fscript->st.st_ino == fother->st.st_ino && (fscript->st.st_ino != 0 || script->location != NULL && other->location != NULL && strcmp(script->location, other->location) == 0)); + } + + /* diff --git a/SOURCES/dovecot-2.2.36-bigkey.patch b/dovecot-2.3.11-bigkey.patch similarity index 100% rename from SOURCES/dovecot-2.2.36-bigkey.patch rename to dovecot-2.3.11-bigkey.patch diff --git a/dovecot-2.3.14-opensslv3.patch b/dovecot-2.3.14-opensslv3.patch new file mode 100644 index 0000000..fa6c44f --- /dev/null +++ b/dovecot-2.3.14-opensslv3.patch @@ -0,0 +1,34 @@ +diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c +--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200 ++++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200 +@@ -73,10 +73,30 @@ + 2key algo oid1symmetric algo namesalthash algoroundsE(RSA = i2d_PrivateKey, EC=Private Point)key id + **/ + ++#if OPENSSL_VERSION_MAJOR == 3 ++static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key) ++{ ++ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); ++ EVP_PKEY_set1_EC_KEY(key, eck); ++ EC_KEY_free(eck); ++ return eck; ++} ++ ++static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key) ++{ ++ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); ++ EVP_PKEY_set1_EC_KEY(key, eck); ++ return eck; ++} ++ ++#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 ++#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3 ++#else + #ifndef HAVE_EVP_PKEY_get0 + #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec + #define EVP_PKEY_get0_RSA(x) x->pkey.rsa + #endif ++#endif + + #ifndef HAVE_OBJ_LENGTH + #define OBJ_length(o) ((o)->length) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch new file mode 100644 index 0000000..a064c26 --- /dev/null +++ b/dovecot-2.3.15-fixvalcond.patch @@ -0,0 +1,24 @@ +diff -up dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +@@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream + (struct sieve_dict_script *)script; + struct sieve_dict_storage *dstorage = + (struct sieve_dict_storage *)script->storage; +- const char *path, *name = script->name, *data, *error; ++ const char *path, *name = script->name, *data, *error = NULL; + int ret; + + dscript->data_pool = +diff -up dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.17/src/lib-storage/index/index-attribute.c +--- dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond 2021-10-27 13:09:04.000000000 +0200 ++++ dovecot-2.3.17/src/lib-storage/index/index-attribute.c 2021-11-02 21:51:36.109032050 +0100 +@@ -248,7 +248,7 @@ int index_storage_attribute_get(struct m + struct mail_attribute_value *value_r) + { + struct dict *dict; +- const char *mailbox_prefix, *error; ++ const char *mailbox_prefix, *error = NULL; + int ret; + + i_zero(value_r); diff --git a/dovecot-2.3.15-valbasherr.patch b/dovecot-2.3.15-valbasherr.patch new file mode 100644 index 0000000..bbcb86f --- /dev/null +++ b/dovecot-2.3.15-valbasherr.patch @@ -0,0 +1,20 @@ +diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp +--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200 ++++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200 +@@ -1,4 +1,16 @@ + { ++ ++ Memcheck:Leak ++ match-leak-kinds: definite ++ fun:malloc ++ fun:make_if_command ++ fun:yyparse ++ fun:parse_command ++ fun:read_command ++ fun:reader_loop ++ fun:main ++} ++{ + + Memcheck:Leak + fun:malloc diff --git a/SOURCES/dovecot-2.3.19.1-7bad6a24.patch b/dovecot-2.3.19.1-7bad6a24.patch similarity index 100% rename from SOURCES/dovecot-2.3.19.1-7bad6a24.patch rename to dovecot-2.3.19.1-7bad6a24.patch diff --git a/dovecot-2.3.20-nolibotp.patch b/dovecot-2.3.20-nolibotp.patch new file mode 100644 index 0000000..4ec0b78 --- /dev/null +++ b/dovecot-2.3.20-nolibotp.patch @@ -0,0 +1,295 @@ +diff -up dovecot-2.3.20/configure.ac.nolibotp dovecot-2.3.20/configure.ac +--- dovecot-2.3.20/configure.ac.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/configure.ac 2023-02-14 16:54:02.118531016 +0100 +@@ -854,7 +854,6 @@ src/lib-lua/Makefile + src/lib-mail/Makefile + src/lib-master/Makefile + src/lib-program-client/Makefile +-src/lib-otp/Makefile + src/lib-dovecot/Makefile + src/lib-sasl/Makefile + src/lib-settings/Makefile +diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c +--- dovecot-2.3.20/src/auth/main.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/auth/main.c 2023-02-14 16:54:02.118531016 +0100 +@@ -19,8 +19,6 @@ + #include "password-scheme.h" + #include "passdb-cache.h" + #include "mech.h" +-#include "otp.h" +-#include "mech-otp-common.h" + #include "auth.h" + #include "auth-penalty.h" + #include "auth-token.h" +@@ -283,7 +281,6 @@ static void main_deinit(void) + + auth_policy_deinit(); + mech_register_deinit(&mech_reg); +- mech_otp_deinit(); + mech_deinit(global_auth_settings); + + /* allow modules to unregister their dbs/drivers/etc. before freeing +diff -up dovecot-2.3.20/src/auth/Makefile.am.nolibotp dovecot-2.3.20/src/auth/Makefile.am +--- dovecot-2.3.20/src/auth/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/auth/Makefile.am 2023-02-14 16:54:02.118531016 +0100 +@@ -45,7 +45,6 @@ AM_CPPFLAGS = \ + -I$(top_srcdir)/src/lib-sql \ + -I$(top_srcdir)/src/lib-settings \ + -I$(top_srcdir)/src/lib-old-stats \ +- -I$(top_srcdir)/src/lib-otp \ + -I$(top_srcdir)/src/lib-master \ + -I$(top_srcdir)/src/lib-oauth2 \ + -I$(top_srcdir)/src/lib-ssl-iostream \ +@@ -67,7 +66,6 @@ libpassword_la_SOURCES = \ + password-scheme-crypt.c \ + password-scheme-md5crypt.c \ + password-scheme-scram.c \ +- password-scheme-otp.c \ + password-scheme-pbkdf2.c \ + password-scheme-sodium.c + libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS) +@@ -76,7 +74,6 @@ auth_libs = \ + libauth.la \ + libstats_auth.la \ + libpassword.la \ +- ../lib-otp/libotp.la \ + $(AUTH_LUA_LIBS) \ + $(LIBDOVECOT_SQL) + +@@ -95,7 +92,6 @@ libauth_la_SOURCES = \ + auth-client-connection.c \ + auth-master-connection.c \ + auth-policy.c \ +- mech-otp-common.c \ + mech-plain-common.c \ + auth-penalty.c \ + auth-request.c \ +@@ -122,7 +118,6 @@ libauth_la_SOURCES = \ + mech-digest-md5.c \ + mech-external.c \ + mech-gssapi.c \ +- mech-otp.c \ + mech-scram.c \ + mech-apop.c \ + mech-winbind.c \ +@@ -161,7 +156,6 @@ headers = \ + auth-client-connection.h \ + auth-common.h \ + auth-master-connection.h \ +- mech-otp-common.h \ + mech-plain-common.h \ + mech-digest-md5-private.h \ + mech-scram.h \ +@@ -260,7 +254,6 @@ test_libs = \ + test_libpassword_SOURCES = test-libpassword.c + test_libpassword_LDADD = \ + libpassword.la \ +- ../lib-otp/libotp.la \ + $(CRYPT_LIBS) \ + $(LIBDOVECOT_SQL) \ + $(LIBSODIUM_LIBS) \ +diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c +--- dovecot-2.3.20/src/auth/mech.c.nolibotp 2023-02-14 16:55:38.421231797 +0100 ++++ dovecot-2.3.20/src/auth/mech.c 2023-02-14 16:55:38.434231892 +0100 +@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo + extern const struct mech_module mech_cram_md5; + extern const struct mech_module mech_digest_md5; + extern const struct mech_module mech_external; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; + extern const struct mech_module mech_anonymous; +@@ -206,7 +205,6 @@ void mech_init(const struct auth_setting + mech_register_module(&mech_gssapi_spnego); + #endif + } +- mech_register_module(&mech_otp); + mech_register_module(&mech_scram_sha1); + mech_register_module(&mech_scram_sha256); + mech_register_module(&mech_anonymous); +@@ -233,7 +231,6 @@ void mech_deinit(const struct auth_setti + mech_unregister_module(&mech_gssapi_spnego); + #endif + } +- mech_unregister_module(&mech_otp); + mech_unregister_module(&mech_scram_sha1); + mech_unregister_module(&mech_scram_sha256); + mech_unregister_module(&mech_anonymous); +diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/auth/password-scheme.c +--- dovecot-2.3.20/src/auth/password-scheme.c.nolibotp 2023-02-14 16:54:02.109530950 +0100 ++++ dovecot-2.3.20/src/auth/password-scheme.c 2023-02-14 16:54:02.119531023 +0100 +@@ -13,7 +13,6 @@ + #include "randgen.h" + #include "sha1.h" + #include "sha2.h" +-#include "otp.h" + #include "str.h" + #include "password-scheme.h" + +@@ -709,32 +708,6 @@ plain_md5_generate(const char *plaintext + *size_r = MD5_RESULTLEN; + } + +-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char *raw_password, size_t size, +- const char **error_r) +-{ +- const char *password, *generated; +- +- password = t_strndup(raw_password, size); +- if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) { +- *error_r = "Invalid OTP data in passdb"; +- return -1; +- } +- +- return strcasecmp(password, generated) == 0 ? 1 : 0; +-} +- +-static void +-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char **raw_password_r, size_t *size_r) +-{ +- const char *password; +- +- if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0) +- i_unreached(); +- *raw_password_r = (const unsigned char *)password; +- *size_r = strlen(password); +-} + + static const struct password_scheme builtin_schemes[] = { + { "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate }, +@@ -770,7 +743,6 @@ static const struct password_scheme buil + NULL, plain_md5_generate }, + { "LDAP-MD5", PW_ENCODING_BASE64, MD5_RESULTLEN, + NULL, plain_md5_generate }, +- { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate }, + { "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate }, + }; + +diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/auth/password-scheme.h +--- dovecot-2.3.20/src/auth/password-scheme.h.nolibotp 2023-02-14 16:56:50.929759540 +0100 ++++ dovecot-2.3.20/src/auth/password-scheme.h 2023-02-14 16:56:50.947759671 +0100 +@@ -92,9 +92,6 @@ void password_set_encryption_rounds(unsi + /* INTERNAL: */ + const char *password_generate_salt(size_t len); + const char *password_generate_md5_crypt(const char *pw, const char *salt); +-int password_generate_otp(const char *pw, const char *state_data, +- unsigned int algo, const char **result_r) +- ATTR_NULL(2); + + int crypt_verify(const char *plaintext, + const struct password_generate_params *params, +diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/auth/test-libpassword.c +--- dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp 2023-02-14 16:54:55.880922175 +0100 ++++ dovecot-2.3.20/src/auth/test-libpassword.c 2023-02-14 16:54:55.896922291 +0100 +@@ -106,7 +106,6 @@ static void test_password_schemes(void) + test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); + test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); + test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test"); +- test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test"); + test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); + test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); + test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); +diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/test-mech.c +--- dovecot-2.3.20/src/auth/test-mech.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/auth/test-mech.c 2023-02-14 16:54:02.119531023 +0100 +@@ -8,8 +8,6 @@ + #include "auth-request-handler-private.h" + #include "auth-settings.h" + #include "mech-digest-md5-private.h" +-#include "otp.h" +-#include "mech-otp-common.h" + #include "settings-parser.h" + #include "password-scheme.h" + #include "auth-token.h" +@@ -27,7 +25,6 @@ extern const struct mech_module mech_dov + extern const struct mech_module mech_external; + extern const struct mech_module mech_login; + extern const struct mech_module mech_oauthbearer; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_plain; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; +@@ -65,10 +62,7 @@ request_handler_reply_mock_callback(stru + + if (request->passdb_result == PASSDB_RESULT_OK) + request->failed = FALSE; +- else if (request->mech == &mech_otp) { +- if (null_strcmp(request->fields.user, "otp_phase_2") == 0) +- request->failed = FALSE; +- } else if (request->mech == &mech_oauthbearer) { ++ else if (request->mech == &mech_oauthbearer) { + } + }; + +@@ -224,10 +218,6 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, +@@ -242,8 +232,6 @@ static void test_mechs(void) + {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -255,7 +243,6 @@ static void test_mechs(void) + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, + {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, + +@@ -297,9 +284,7 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, + /* phase 2 */ +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -387,7 +372,6 @@ static void test_mechs(void) + + test_end(); + } T_END; +- mech_otp_deinit(); + auths_deinit(); + auth_token_deinit(); + password_schemes_deinit(); +diff -up dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp dovecot-2.3.20/src/doveadm/Makefile.am +--- dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/doveadm/Makefile.am 2023-02-14 16:54:02.119531023 +0100 +@@ -36,8 +36,7 @@ AM_CPPFLAGS = \ + $(BINARY_CFLAGS) + + cmd_pw_libs = \ +- ../auth/libpassword.la \ +- ../lib-otp/libotp.la ++ ../auth/libpassword.la + + libs = \ + dsync/libdsync.la \ +diff -up dovecot-2.3.20/src/Makefile.am.nolibotp dovecot-2.3.20/src/Makefile.am +--- dovecot-2.3.20/src/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/Makefile.am 2023-02-14 16:54:02.119531023 +0100 +@@ -40,7 +40,6 @@ SUBDIRS = \ + lib-index \ + lib-storage \ + lib-sql \ +- lib-otp \ + lib-lda \ + lib-dict-backend \ + anvil \ diff --git a/dovecot-2.3.21-noengine.patch b/dovecot-2.3.21-noengine.patch new file mode 100644 index 0000000..7532b91 --- /dev/null +++ b/dovecot-2.3.21-noengine.patch @@ -0,0 +1,200 @@ +diff -up dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c +--- dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine 2024-07-23 13:18:35.040720598 -0400 ++++ dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c 2024-07-23 13:20:16.250720598 -0400 +@@ -20,7 +20,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff -up dovecot-2.3.21/m4/ssl.m4.noengine dovecot-2.3.21/m4/ssl.m4 +--- dovecot-2.3.21/m4/ssl.m4.noengine 2024-05-06 17:39:59.362886891 +0200 ++++ dovecot-2.3.21/m4/ssl.m4 2024-05-06 17:42:17.945312656 +0200 +@@ -233,6 +233,27 @@ AC_DEFUN([DOVECOT_SSL], [ + AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [ + AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support]) + ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OSSL_PROVIDER_try_load, [ ++ AC_DEFINE(HAVE_OSSL_PROVIDER_try_load,, [Build with OSSL_PROVIDER_try_load support]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [ ++ AC_DEFINE(HAVE_OPENSSL_init_ssl,, [Build with OPENSSL_init_ssl support]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OPENSSL_cleanup, [ ++ AC_DEFINE(HAVE_OPENSSL_cleanup,, [OpenSSL supports OPENSSL_cleanup()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [ ++ AC_DEFINE(HAVE_OPENSSL_thread_stop,, [OpenSSL supports OPENSSL_thread_stop()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, ERR_remove_thread_state, [ ++ AC_DEFINE(HAVE_ERR_remove_thread_state,, [OpenSSL supports ERR_remove_thread_state()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, ERR_remove_state, [ ++ AC_DEFINE(HAVE_ERR_remove_state,, [OpenSSL supports ERR_remove_state()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, ENGINE_by_id_DISABLED, [ ++ AC_DEFINE(HAVE_ENGINE_by_id,, [OpenSSL supports ENGINE_by_id() - !!!EXPLICITELY DISABLED!!! ]) ++ ],, $SSL_LIBS) + AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [ + AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support]) + ],, $SSL_LIBS) +diff -up dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c +--- dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine 2023-09-14 15:17:46.000000000 +0200 ++++ dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c 2024-05-06 17:39:59.363886901 +0200 +@@ -3,13 +3,23 @@ + #include "lib.h" + #include "randgen.h" + #include "dovecot-openssl-common.h" ++#include "iostream-openssl.h" + + #include +-#include ++#include ++#ifdef HAVE_OSSL_PROVIDER_try_load ++# include ++#else ++# include ++#endif + #include + + static int openssl_init_refcount = 0; +-static ENGINE *dovecot_openssl_engine; ++#ifdef HAVE_OSSL_PROVIDER_try_load ++static OSSL_PROVIDER *dovecot_openssl_engine = NULL; ++#else ++static ENGINE *dovecot_openssl_engine = NULL; ++#endif + + #ifdef HAVE_SSL_NEW_MEM_FUNCS + static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED) +@@ -17,12 +27,14 @@ static void *dovecot_openssl_malloc(size + static void *dovecot_openssl_malloc(size_t size) + #endif + { ++ if (size == 0) ++ return NULL; + /* this may be performance critical, so don't use + i_malloc() or calloc() */ + void *mem = malloc(size); +- if (mem == NULL) { ++ if (unlikely(mem == NULL)) { + i_fatal_status(FATAL_OUTOFMEM, +- "OpenSSL: malloc(%zu): Out of memory", size); ++ "OpenSSL: malloc(%zu): Out of memory", size); + } + return mem; + } +@@ -33,10 +45,14 @@ static void *dovecot_openssl_realloc(voi + static void *dovecot_openssl_realloc(void *ptr, size_t size) + #endif + { ++ if (size == 0) { ++ free(ptr); ++ return NULL; ++ } + void *mem = realloc(ptr, size); +- if (mem == NULL) { ++ if (unlikely(mem == NULL)) { + i_fatal_status(FATAL_OUTOFMEM, +- "OpenSSL: realloc(%zu): Out of memory", size); ++ "OpenSSL: realloc(%zu): Out of memory", size); + } + return mem; + } +@@ -63,9 +79,13 @@ void dovecot_openssl_common_global_ref(v + /*i_warning("CRYPTO_set_mem_functions() was called too late");*/ + } + ++#ifdef HAVE_OPENSSL_init_ssl ++ OPENSSL_init_ssl(0, NULL); ++#else + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); ++#endif + } + + bool dovecot_openssl_common_global_unref(void) +@@ -76,30 +96,35 @@ bool dovecot_openssl_common_global_unref + return TRUE; + + if (dovecot_openssl_engine != NULL) { ++#ifdef HAVE_OSSL_PROVIDER_try_load ++ OSSL_PROVIDER_unload(dovecot_openssl_engine); ++#else + ENGINE_finish(dovecot_openssl_engine); ++#endif + dovecot_openssl_engine = NULL; + } ++#ifdef HAVE_OPENSSL_cleanup ++ OPENSSL_cleanup(); ++#else + /* OBJ_cleanup() is called automatically by EVP_cleanup() in + newer versions. Doesn't hurt to call it anyway. */ + OBJ_cleanup(); +-#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS ++# if !defined(OPENSSL_NO_COMP) + SSL_COMP_free_compression_methods(); +-#endif ++# endif + ENGINE_cleanup(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); +-#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT ++# ifdef HAVE_OPENSSL_thread_stop + /* no cleanup needed */ +-#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE) ++# elif defined(HAVE_ERR_remove_thread_state) + /* This was marked as deprecated in v1.1. */ + ERR_remove_thread_state(NULL); +-#else ++# elif defined(HAVE_ERR_remove_state) + /* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */ + ERR_remove_state(0); +-#endif ++# endif + ERR_free_strings(); +-#ifdef HAVE_OPENSSL_CLEANUP +- OPENSSL_cleanup(); + #endif + return FALSE; + } +@@ -110,6 +135,7 @@ int dovecot_openssl_common_global_set_en + if (dovecot_openssl_engine != NULL) + return 1; + ++#ifdef HAVE_ENGINE_by_id + ENGINE_load_builtin_engines(); + dovecot_openssl_engine = ENGINE_by_id(engine); + if (dovecot_openssl_engine == NULL) { +@@ -128,5 +154,15 @@ int dovecot_openssl_common_global_set_en + dovecot_openssl_engine = NULL; + return -1; + } ++#elif defined(HAVE_OSSL_PROVIDER_try_load) ++ if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) { ++ *error_r = t_strdup_printf("Cannot load '%s': %s", engine, ++ openssl_iostream_error()); ++ return 0; ++ } ++ return 1; ++#else ++ *error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine); ++#endif + return 1; + } +diff -up dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am +--- dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine 2023-09-14 15:17:46.000000000 +0200 ++++ dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am 2024-05-06 17:39:59.363886901 +0200 +@@ -5,7 +5,8 @@ NOPLUGIN_LDFLAGS = + AM_CPPFLAGS = \ + -I$(top_srcdir)/src/lib \ + -I$(top_srcdir)/src/lib-test \ +- -DMODULE_DIR=\""$(moduledir)"\" ++ -DMODULE_DIR=\""$(moduledir)"\" \ ++ $(SSL_CFLAGS) + + if BUILD_OPENSSL + module_LTLIBRARIES = libssl_iostream_openssl.la diff --git a/SOURCES/dovecot-2.3.21-test-socket-path.patch b/dovecot-2.3.21-test-socket-path.patch similarity index 100% rename from SOURCES/dovecot-2.3.21-test-socket-path.patch rename to dovecot-2.3.21-test-socket-path.patch diff --git a/SOURCES/dovecot-2.3.21.1-CVE-2024-23184.patch b/dovecot-2.3.21.1-CVE-2024-23184.patch similarity index 100% rename from SOURCES/dovecot-2.3.21.1-CVE-2024-23184.patch rename to dovecot-2.3.21.1-CVE-2024-23184.patch diff --git a/SOURCES/dovecot-2.3.21.1-CVE-2024-23185.patch b/dovecot-2.3.21.1-CVE-2024-23185.patch similarity index 82% rename from SOURCES/dovecot-2.3.21.1-CVE-2024-23185.patch rename to dovecot-2.3.21.1-CVE-2024-23185.patch index 5d70e5d..794425a 100644 --- a/SOURCES/dovecot-2.3.21.1-CVE-2024-23185.patch +++ b/dovecot-2.3.21.1-CVE-2024-23185.patch @@ -1,7 +1,20 @@ -diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-header-parser.c ---- dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/message-header-parser.c 2024-08-20 23:29:25.214183880 +0200 -@@ -17,6 +17,9 @@ struct message_header_parser_ctx { +From f020e139c519121d9630a966310ea8e100ee33b7 Mon Sep 17 00:00:00 2001 +From: Marco Bettini +Date: Fri, 12 Apr 2024 15:06:43 +0000 +Subject: [PATCH 1/2] lib-mail: message-header-parser - Limit header block to + 10MB by default + +--- + src/lib-mail/message-header-parser.c | 48 ++++++++++++---- + src/lib-mail/message-header-parser.h | 10 ++++ + src/lib-mail/test-message-header-parser.c | 67 +++++++++++++++++++++++ + 3 files changed, 114 insertions(+), 11 deletions(-) + +diff --git a/src/lib-mail/message-header-parser.c b/src/lib-mail/message-header-parser.c +index c5026f1bb7..5e020bbeb3 100644 +--- a/src/lib-mail/message-header-parser.c ++++ b/src/lib-mail/message-header-parser.c +@@ -21,6 +21,9 @@ struct message_header_parser_ctx { string_t *name; buffer_t *value_buf; @@ -11,7 +24,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove enum message_header_parser_flags flags; bool skip_line:1; bool has_nuls:1; -@@ -34,6 +37,7 @@ message_parse_header_init(struct istream +@@ -38,6 +41,7 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size, ctx->name = str_new(default_pool, 128); ctx->flags = flags; ctx->value_buf = buffer_create_dynamic(default_pool, 4096); @@ -19,7 +32,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove i_stream_ref(input); if (hdr_size != NULL) -@@ -41,6 +45,21 @@ message_parse_header_init(struct istream +@@ -45,6 +49,21 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size, return ctx; } @@ -41,7 +54,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove void message_parse_header_deinit(struct message_header_parser_ctx **_ctx) { struct message_header_parser_ctx *ctx = *_ctx; -@@ -73,6 +92,7 @@ int message_parse_header_next(struct mes +@@ -77,6 +96,7 @@ int message_parse_header_next(struct message_header_parser_ctx *ctx, /* new header line */ line->name_offset = ctx->input->v_offset; colon_pos = UINT_MAX; @@ -49,8 +62,8 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove buffer_set_used_size(ctx->value_buf, 0); } -@@ -326,33 +346,39 @@ int message_parse_header_next(struct mes - line->middle = str_data(ctx->name) + line->name_len + 1; +@@ -342,33 +362,39 @@ int message_parse_header_next(struct message_header_parser_ctx *ctx, + } } + line->value_len = I_MIN(line->value_len, ctx->header_block_max_size); @@ -100,9 +113,10 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove line->full_value = ctx->value_buf->data; line->full_value_len = ctx->value_buf->used; } else { -diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-header-parser.h ---- dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/message-header-parser.h 2024-08-20 22:55:36.530652449 +0200 +diff --git a/src/lib-mail/message-header-parser.h b/src/lib-mail/message-header-parser.h +index ce0825c8e5..43cf95e56a 100644 +--- a/src/lib-mail/message-header-parser.h ++++ b/src/lib-mail/message-header-parser.h @@ -1,6 +1,9 @@ #ifndef MESSAGE_HEADER_PARSER_H #define MESSAGE_HEADER_PARSER_H @@ -113,7 +127,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dove #define IS_LWSP(c) \ ((c) == ' ' || (c) == '\t') -@@ -48,6 +51,13 @@ message_parse_header_init(struct istream +@@ -48,6 +51,13 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size, enum message_header_parser_flags flags) ATTR_NULL(2); void message_parse_header_deinit(struct message_header_parser_ctx **ctx); @@ -127,85 +141,11 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dove /* Read and return next header line. Returns 1 if header is returned, 0 if input stream is non-blocking and more data needs to be read, -1 when all is done or error occurred (see stream's error status). */ -diff -up dovecot-2.3.16/src/lib-mail/message-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser.c ---- dovecot-2.3.16/src/lib-mail/message-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/message-parser.c 2024-08-20 22:55:36.531652458 +0200 -@@ -617,7 +617,18 @@ static int parse_next_header(struct mess - } - if (ret < 0) { - /* no boundary */ -+ size_t headers_available = -+ ctx->all_headers_max_size > ctx->all_headers_total_size ? -+ ctx->all_headers_max_size - ctx->all_headers_total_size : 0; -+ message_parse_header_lower_limit(ctx->hdr_parser_ctx, headers_available); - ret = message_parse_header_next(ctx->hdr_parser_ctx, &hdr); -+ if (ret > 0) { -+ if (!hdr->continues) { -+ ctx->all_headers_total_size += hdr->name_len; -+ ctx->all_headers_total_size += hdr->middle_len; -+ } -+ ctx->all_headers_total_size += hdr->value_len; -+ } - if (ret == 0 || (ret < 0 && ctx->input->stream_errno != 0)) { - ctx->want_count = i_stream_get_data_size(ctx->input) + 1; - return ret; -@@ -762,6 +773,9 @@ message_parser_init_int(struct istream * - ctx->max_total_mime_parts = set->max_total_mime_parts != 0 ? - set->max_total_mime_parts : - MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS; -+ ctx->all_headers_max_size = set->all_headers_max_size != 0 ? -+ set->all_headers_max_size : -+ MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE; - ctx->input = input; - i_stream_ref(input); - return ctx; -@@ -779,6 +793,7 @@ message_parser_init(pool_t part_pool, st - ctx->next_part = &ctx->part->children; - ctx->parse_next_block = parse_next_header_init; - ctx->total_parts_count = 1; -+ ctx->all_headers_total_size = 0; - i_array_init(&ctx->next_part_stack, 4); - return ctx; - } -diff -up dovecot-2.3.16/src/lib-mail/message-parser.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser.h ---- dovecot-2.3.16/src/lib-mail/message-parser.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/message-parser.h 2024-08-20 22:55:36.531652458 +0200 -@@ -19,6 +19,7 @@ enum message_parser_flags { - - #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 - #define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000 -+#define MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE ((size_t) 50 * 1024*1024) - - struct message_parser_settings { - enum message_header_parser_flags hdr_flags; -@@ -30,6 +31,11 @@ struct message_parser_settings { - /* Maximum MIME parts in total. - 0 = MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS. */ - unsigned int max_total_mime_parts; -+ -+ /* Maximum bytes fore headers in top header plus all -+ MIME sections headers -+ 0 = MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE */ -+ size_t all_headers_max_size; - }; - - struct message_parser_ctx; -diff -up dovecot-2.3.16/src/lib-mail/message-parser-private.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser-private.h ---- dovecot-2.3.16/src/lib-mail/message-parser-private.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/message-parser-private.h 2024-08-20 22:55:36.531652458 +0200 -@@ -30,6 +30,8 @@ struct message_parser_ctx { - enum message_parser_flags flags; - unsigned int max_nested_mime_parts; - unsigned int max_total_mime_parts; -+ size_t all_headers_max_size; -+ size_t all_headers_total_size; - - char *last_boundary; - struct message_boundary *boundaries; -diff -up dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/test-message-header-parser.c ---- dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/test-message-header-parser.c 2024-08-20 23:23:18.169196280 +0200 -@@ -332,6 +332,71 @@ static void test_message_header_parser_n +diff --git a/src/lib-mail/test-message-header-parser.c b/src/lib-mail/test-message-header-parser.c +index 700d3413f1..93d8842002 100644 +--- a/src/lib-mail/test-message-header-parser.c ++++ b/src/lib-mail/test-message-header-parser.c +@@ -463,6 +463,71 @@ static void test_message_header_parser_extra_crlf_in_name(void) test_end(); } @@ -277,18 +217,112 @@ diff -up dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 int main(void) { static void (*const test_functions[])(void) = { -@@ -341,6 +406,8 @@ int main(void) - test_message_header_parser_extra_cr_in_eoh, +@@ -473,6 +538,8 @@ int main(void) test_message_header_parser_no_eoh, test_message_header_parser_nul, + test_message_header_parser_extra_crlf_in_name, + test_message_header_truncation_flag0, + test_message_header_truncation_clean_oneline, NULL }; return test_run(test_functions); -diff -up dovecot-2.3.16/src/lib-mail/test-message-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/test-message-parser.c ---- dovecot-2.3.16/src/lib-mail/test-message-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/src/lib-mail/test-message-parser.c 2024-08-20 22:55:36.531652458 +0200 + +From ce88c33abc37e408592eff70aeefa28f803effb9 Mon Sep 17 00:00:00 2001 +From: Marco Bettini +Date: Wed, 24 Apr 2024 10:45:46 +0000 +Subject: [PATCH 2/2] lib-mail: message-parser - Limit headers total count to + 50MB by default + +(including top headers and all mime-sections headers) +--- + src/lib-mail/message-parser-private.h | 2 + + src/lib-mail/message-parser.c | 15 +++ + src/lib-mail/message-parser.h | 6 + + src/lib-mail/test-message-parser.c | 154 ++++++++++++++++++++++++++ + 4 files changed, 177 insertions(+) + +diff --git a/src/lib-mail/message-parser-private.h b/src/lib-mail/message-parser-private.h +index 41c32daf3a..8b362a9e71 100644 +--- a/src/lib-mail/message-parser-private.h ++++ b/src/lib-mail/message-parser-private.h +@@ -30,6 +30,8 @@ struct message_parser_ctx { + enum message_parser_flags flags; + unsigned int max_nested_mime_parts; + unsigned int max_total_mime_parts; ++ size_t all_headers_max_size; ++ size_t all_headers_total_size; + + char *last_boundary; + struct message_boundary *boundaries; +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 9a9c9a3515..c7e3b1e96a 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -617,7 +617,18 @@ static int parse_next_header(struct message_parser_ctx *ctx, + } + if (ret < 0) { + /* no boundary */ ++ size_t headers_available = ++ ctx->all_headers_max_size > ctx->all_headers_total_size ? ++ ctx->all_headers_max_size - ctx->all_headers_total_size : 0; ++ message_parse_header_lower_limit(ctx->hdr_parser_ctx, headers_available); + ret = message_parse_header_next(ctx->hdr_parser_ctx, &hdr); ++ if (ret > 0) { ++ if (!hdr->continues) { ++ ctx->all_headers_total_size += hdr->name_len; ++ ctx->all_headers_total_size += hdr->middle_len; ++ } ++ ctx->all_headers_total_size += hdr->value_len; ++ } + if (ret == 0 || (ret < 0 && ctx->input->stream_errno != 0)) { + ctx->want_count = i_stream_get_data_size(ctx->input) + 1; + return ret; +@@ -762,6 +773,9 @@ message_parser_init_int(struct istream *input, + ctx->max_total_mime_parts = set->max_total_mime_parts != 0 ? + set->max_total_mime_parts : + MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS; ++ ctx->all_headers_max_size = set->all_headers_max_size != 0 ? ++ set->all_headers_max_size : ++ MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -779,6 +793,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; + ctx->total_parts_count = 1; ++ ctx->all_headers_total_size = 0; + i_array_init(&ctx->next_part_stack, 4); + return ctx; + } +diff --git a/src/lib-mail/message-parser.h b/src/lib-mail/message-parser.h +index f19e526284..8d70d73f05 100644 +--- a/src/lib-mail/message-parser.h ++++ b/src/lib-mail/message-parser.h +@@ -19,6 +19,7 @@ enum message_parser_flags { + + #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 + #define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000 ++#define MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE ((size_t) 50 * 1024*1024) + + struct message_parser_settings { + enum message_header_parser_flags hdr_flags; +@@ -30,6 +31,11 @@ struct message_parser_settings { + /* Maximum MIME parts in total. + 0 = MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS. */ + unsigned int max_total_mime_parts; ++ ++ /* Maximum bytes fore headers in top header plus all ++ MIME sections headers ++ 0 = MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE */ ++ size_t all_headers_max_size; + }; + + struct message_parser_ctx; +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 663bfe8c5a..b6bada2303 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c @@ -1369,6 +1369,158 @@ static const char input_msg[] = test_end(); } diff --git a/SOURCES/dovecot-2.3.6-opensslhmac.patch b/dovecot-2.3.6-opensslhmac.patch similarity index 84% rename from SOURCES/dovecot-2.3.6-opensslhmac.patch rename to dovecot-2.3.6-opensslhmac.patch index ba6453b..aaee6f1 100644 --- a/SOURCES/dovecot-2.3.6-opensslhmac.patch +++ b/dovecot-2.3.6-opensslhmac.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c ---- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100 +diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/auth/auth-token.c +--- dovecot-2.3.18/src/auth/auth-token.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/auth-token.c 2022-02-09 09:27:15.887883359 +0100 @@ -161,17 +161,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) @@ -26,9 +26,9 @@ diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/aut return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c ---- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100 +diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/auth/mech-cram-md5.c +--- dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/mech-cram-md5.c 2022-02-09 09:27:15.887883359 +0100 @@ -51,7 +51,7 @@ static bool verify_credentials(struct cr { @@ -52,10 +52,10 @@ diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/ response_hex = binary_to_hex(digest, sizeof(digest)); -diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c ---- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100 -@@ -78,7 +78,7 @@ static const char *get_scram_server_firs +diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/auth/mech-scram.c +--- dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/mech-scram.c 2022-02-09 09:31:50.927146858 +0100 +@@ -93,7 +93,7 @@ get_scram_server_first(struct scram_auth static const char *get_scram_server_final(struct scram_auth_request *request) { const struct hash_method *hmethod = request->hash_method; @@ -64,7 +64,7 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut const char *auth_message; unsigned char server_signature[hmethod->digest_size]; string_t *str; -@@ -87,9 +87,9 @@ static const char *get_scram_server_fina +@@ -109,9 +109,9 @@ static const char *get_scram_server_fina request->server_first_message, ",", request->client_final_message_without_proof, NULL); @@ -75,9 +75,9 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut + openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); + openssl_hmac_final(&ctx, server_signature); - str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature))); - str_append(str, "v="); -@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str + /* RFC 5802, Section 7: + +@@ -292,7 +292,7 @@ parse_scram_client_first(struct scram_au static bool verify_credentials(struct scram_auth_request *request) { const struct hash_method *hmethod = request->hash_method; @@ -86,7 +86,7 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut const char *auth_message; unsigned char client_key[hmethod->digest_size]; unsigned char client_signature[hmethod->digest_size]; -@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc +@@ -310,9 +310,9 @@ static bool verify_credentials(struct sc request->server_first_message, ",", request->client_final_message_without_proof, NULL); @@ -97,11 +97,11 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut + openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); + openssl_hmac_final(&ctx, client_signature); + /* ClientProof := ClientKey XOR ClientSignature */ const unsigned char *proof_data = request->proof->data; - for (i = 0; i < sizeof(client_signature); i++) -diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c ---- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100 +diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme.c +--- dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/password-scheme.c 2022-02-09 09:27:15.888883345 +0100 @@ -639,11 +639,11 @@ static void cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) @@ -116,9 +116,9 @@ diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/sr strlen(plaintext), &hash_method_md5); hmac_md5_get_cram_context(&ctx, context_digest); -diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c ---- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme-scram.c +--- dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/password-scheme-scram.c 2022-02-09 09:27:15.888883345 +0100 @@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char *result) @@ -208,9 +208,9 @@ diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 str_append_c(str, ','); base64_encode(server_key, sizeof(server_key), str); -diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c ---- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c +--- dovecot-2.3.18/src/lib/hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac.c 2022-02-09 09:27:15.888883345 +0100 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -388,16 +388,16 @@ diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c /* salt and info can be NULL */ i_assert(salt != NULL || salt_len == 0); -@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method +@@ -118,35 +192,36 @@ void hmac_hkdf(const struct hash_method i_assert(ikm != NULL && ikm_len > 0); i_assert(okm_r != NULL && okm_len > 0); -- /* but they still need valid pointer, reduces -- complains from static analysers */ -- if (salt == NULL) -- salt = &uchar_nul; -- if (info == NULL) -- info = &uchar_nul; + /* but they still need valid pointer, reduces + complains from static analysers */ + if (salt == NULL) + salt = &uchar_nul; + if (info == NULL) + info = &uchar_nul; - - /* extract */ - hmac_init(&key_mac, salt, salt_len, method); @@ -448,9 +448,9 @@ diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c ---- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.c +--- dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac-cram-md5.c 2022-02-09 09:27:15.888883345 +0100 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -477,9 +477,9 @@ diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/l const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h ---- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.h +--- dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac-cram-md5.h 2022-02-09 09:27:15.888883345 +0100 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -492,9 +492,9 @@ diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/l const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h ---- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h +--- dovecot-2.3.18/src/lib/hmac.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac.h 2022-02-09 09:27:15.888883345 +0100 @@ -4,60 +4,97 @@ #include "hash-method.h" #include "sha1.h" @@ -606,9 +606,9 @@ diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c 2022-02-09 09:27:15.888883345 +0100 @@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) @@ -629,10 +629,10 @@ diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot- *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am ---- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100 -@@ -352,6 +352,9 @@ headers = \ +diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/Makefile.am +--- dovecot-2.3.18/src/lib/Makefile.am.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/Makefile.am 2022-02-09 09:27:15.889883331 +0100 +@@ -354,6 +354,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -642,10 +642,10 @@ diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/M test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100 -@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2 +diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 +@@ -144,14 +144,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; @@ -666,10 +666,10 @@ diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/s buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100 -@@ -236,7 +236,7 @@ static void save_key_to(const char *algo +diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 +@@ -248,7 +248,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -678,7 +678,7 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_ +@@ -258,7 +258,7 @@ static void sign_jwt_token_hs256(buffer_ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -687,7 +687,7 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_ +@@ -268,7 +268,7 @@ static void sign_jwt_token_hs384(buffer_ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -696,9 +696,9 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c ---- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100 +diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5.c +--- dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/pkcs5.c 2022-02-09 09:27:15.889883331 +0100 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -733,9 +733,9 @@ diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5 for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c ---- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100 +diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/test-hmac.c +--- dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/test-hmac.c 2022-02-09 09:27:15.889883331 +0100 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { diff --git a/dovecot-configure-c99.patch b/dovecot-configure-c99.patch new file mode 100644 index 0000000..17a49fe --- /dev/null +++ b/dovecot-configure-c99.patch @@ -0,0 +1,25 @@ +m4: crypt_xxpg6.m4: Define _DEFAULT_SOURCE for current glibc + +Current glibc no longer implements the CRYPT extension, so it does not +declare crypt in in strict standard modes. The check +defines _XOPEN_SOURCE, which enables one of these modes. Defining +_DEFAULT_SOURCE as well again makes available the crypt function +prototype. + +This avoids a configure check result change with compilers which do +not support implicit function declarations. + +Submitted upstream: + +diff --git a/m4/crypt_xpg6.m4 b/m4/crypt_xpg6.m4 +index 0085b2ac76..3a288a3713 100644 +--- a/m4/crypt_xpg6.m4 ++++ b/m4/crypt_xpg6.m4 +@@ -6,6 +6,7 @@ AC_DEFUN([DOVECOT_CRYPT_XPG6], [ + #define _XOPEN_SOURCE 4 + #define _XOPEN_SOURCE_EXTENDED 1 + #define _XOPEN_VERSION 4 ++ #define _DEFAULT_SOURCE + #define _XPG4_2 + #define _XPG6 + #include diff --git a/SOURCES/dovecot.conf.5 b/dovecot.conf.5 similarity index 100% rename from SOURCES/dovecot.conf.5 rename to dovecot.conf.5 diff --git a/SOURCES/dovecot.init b/dovecot.init similarity index 100% rename from SOURCES/dovecot.init rename to dovecot.init diff --git a/SOURCES/dovecot.pam b/dovecot.pam similarity index 100% rename from SOURCES/dovecot.pam rename to dovecot.pam diff --git a/SPECS/dovecot.spec b/dovecot.spec similarity index 83% rename from SPECS/dovecot.spec rename to dovecot.spec index 466f723..6621c76 100644 --- a/SPECS/dovecot.spec +++ b/dovecot.spec @@ -1,26 +1,28 @@ %global __provides_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir} + Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.16 +Version: 2.3.21 %global prever %{nil} -Release: 7%{?dist} +Release: 16%{?dist}.1 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 -License: MIT and LGPLv2 -Group: System Environment/Daemons +License: MIT AND LGPL-2.1-only -URL: http://www.dovecot.org/ -Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz +URL: https://www.dovecot.org/ +Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.16 -Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever 0.5.21 +Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd #our own Source14: dovecot.conf.5 +Source15: prestartscript +Source16: dovecot.sysusers # 3x Fedora/RHEL specific Patch1: dovecot-2.0-defaultconfig.patch @@ -32,80 +34,86 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch - -# sent upstream, rhbz#1630380 -Patch11: dovecot-2.2.36-aclfix.patch - -Patch13: dovecot-2.2.36-bigkey.patch +Patch15: dovecot-2.3.11-bigkey.patch # do not use own implementation of HMAC, use OpenSSL for certification purposes # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # hard to break circular dependency between lib and lib-dcrypt -Patch14: dovecot-2.3.6-opensslhmac.patch +Patch16: dovecot-2.3.6-opensslhmac.patch -# from upstream, for dovecot < 2.3.17, s390x FTBFS fix -Patch15: dovecot-2.3.16-ftbfsbigend.patch -Patch16: dovecot-2.3.16-keeplzma.patch +# FTBFS +Patch17: dovecot-2.3.15-fixvalcond.patch +Patch18: dovecot-2.3.15-valbasherr.patch +Patch20: dovecot-2.3.14-opensslv3.patch +Patch21: dovecot-2.3.19.1-7bad6a24.patch +Patch22: dovecot-configure-c99.patch -# from upstream, for <= 2.3.19.1, rhbz#2106232 -Patch17: dovecot-2.3.19.1-7bad6a24.patch +# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +Patch23: dovecot-2.3.20-nolibotp.patch -# from upstream, for < 2.3.19.1, rhbz#2128857 -Patch18: dovecot-2.3.18-9f300239..4596d399.patch -Patch19: dovecot-2.3.18-bdf447e4.patch +# adapted from 2.4 dovecot, issue #RHEL-33733 +Patch24: dovecot-2.3.21-noengine.patch -# from upstream, for < 2.3.21, RHEL-22854 -Patch20: dovecot-2.3.16-d7705bc6.patch - -# from upstream for < 2.3.21.1, RHEL-55206 -# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch -Patch21: dovecot-2.3.21.1-CVE-2024-23184.patch - -# from upstream for < 2.3.21.1, RHEL-55219 -# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch -Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch +# sent upstream, issue #RHEL-52541 +Patch25: dovecot-2.3-ph_optglob.patch +Patch26: dovecot-2.3-ph_scriptcmp.patch # fix test failing due to too long path with all the mock path prefixes -Patch23: dovecot-2.3.21-test-socket-path.patch +Patch27: dovecot-2.3.21-test-socket-path.patch -# from upstream for < 2.4.3, RHEL-161630 +# from upstream for < 2.3.21.1, RHEL-55205 +# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch +Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch + +# from upstream for < 2.3.21.1, RHEL-55218 +# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch +Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch + +# from upstream for < 2.4.3, RHEL-161625 # https://github.com/dovecot/pigeonhole/commit/54f645225a8a7911d7e16e9d50f170d217b0be95 -Patch24: dovecot-2.3-cve-2026-27858.patch +Patch30: dovecot-2.3-cve-2026-27858.patch -# from upstream for < 2.4.3, RHEL-162282 +# from upstream for < 2.4.3, RHEL-162273 # https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c -Patch25: dovecot-2.3-cve-2025-59032.patch +Patch31: dovecot-2.3-cve-2025-59032.patch -# from upstream for < 2.4.3, RHEL-161669 +# from upstream for < 2.4.3, RHEL-161664 # https://github.com/dovecot/core/commit/825bc297f87b856992aa14beac596ec838248210 -Patch26: dovecot-2.3-cve-2026-27857p1of5.patch +Patch32: dovecot-2.3-cve-2026-27857p1of5.patch # https://github.com/dovecot/core/commit/d0f67b52914565a35f3817335ab9633cb291513c -Patch27: dovecot-2.3-cve-2026-27857p2of5.patch +Patch33: dovecot-2.3-cve-2026-27857p2of5.patch # https://github.com/dovecot/core/commit/af1fb4da5c1c5c458dc1d54dee3aefde6d3aa835 -Patch28: dovecot-2.3-cve-2026-27857p3of5.patch +Patch34: dovecot-2.3-cve-2026-27857p3of5.patch # https://github.com/dovecot/core/commit/3435e0d44c131eb1046a84fd83798f1e101b725e -Patch29: dovecot-2.3-cve-2026-27857p4of5.patch +Patch35: dovecot-2.3-cve-2026-27857p4of5.patch # https://github.com/dovecot/pigeonhole/commit/5701db04455ee4d8e927d0b225634780a9b656b4 -Patch30: dovecot-2.3-cve-2026-27857p5of5.patch +Patch36: dovecot-2.3-cve-2026-27857p5of5.patch -Source15: prestartscript - -BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel +BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel -BuildRequires: postgresql-devel -#BuildRequires: libpq-devel +BuildRequires: libpq-devel BuildRequires: mariadb-connector-c-devel -#BuildRequires: libxcrypt-devel +BuildRequires: libxcrypt-devel BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel BuildRequires: lz4-devel +BuildRequires: libzstd-devel +%if %{?rhel}0 == 0 +BuildRequires: libsodium-devel +BuildRequires: lua-devel +%endif +BuildRequires: libicu-devel +%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 +BuildRequires: libexttextcat-devel +BuildRequires: clucene-core-devel +%endif BuildRequires: multilib-rpm-config -#BuildRequires: libsodium-devel -#BuildRequires: libexttextcat-devel -#BuildRequires: libstemmer-devel +BuildRequires: flex, bison +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -116,33 +124,17 @@ Requires: openssl >= 0.9.7f-4 # Package includes an initscript service file, needs to require initscripts package Requires(pre): shadow-utils -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%else -Requires: initscripts -Requires(post): chkconfig -Requires(preun): chkconfig initscripts -Requires(postun): initscripts -%endif - -%if %{?fedora}0 > 150 || %{?rhel}0 >60 -#clucene in fedora <=15 and rhel<=6 is too old -BuildRequires: clucene-core-devel -%endif %global ssldir %{_sysconfdir}/pki/%{name} -%if %{?fedora}00%{?rhel} < 6 -%global _initddir %{_initrddir} -BuildRequires: curl-devel expat-devel -%else BuildRequires: libcurl-devel expat-devel -%endif +BuildRequires: make -%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install +%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %description Dovecot is an IMAP server for Linux/UNIX-like systems, written with security @@ -154,8 +146,7 @@ The SQL drivers and authentication plug-ins are in their subpackages. %package pigeonhole Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Sieve and managesieve plug-in for dovecot -Group: System Environment/Daemons -License: MIT and LGPLv2 +License: MIT AND LGPL-2.1-only %description pigeonhole This package provides sieve and managesieve plug-in for dovecot LDA. @@ -163,21 +154,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA. %package pgsql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Postgres SQL back end for dovecot -Group: System Environment/Daemons %description pgsql This package provides the Postgres SQL back end for dovecot-auth etc. %package mysql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: MySQL back end for dovecot -Group: System Environment/Daemons %description mysql This package provides the MySQL back end for dovecot-auth etc. %package devel Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Development files for dovecot -Group: Development/Libraries %description devel This package provides the development files for dovecot. @@ -193,38 +181,48 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 6 -p1 -b .waitonline %patch -P 8 -p1 -b .initbysystemd %patch -P 9 -p1 -b .systemd_w_protectsystem -%patch -P 11 -p1 -b .aclfix -%patch -P 13 -p1 -b .bigkey -%patch -P 14 -p1 -b .opensslhmac -%patch -P 15 -p1 -b .ftbfsbigend -%patch -P 16 -p1 -b .keeplzma -%patch -P 17 -p1 -b .7bad6a24 -%patch -P 18 -p1 -b .9f300239..4596d399 -%patch -P 19 -p1 -b .bdf447e4 -%patch -P 20 -p1 -b .d7705bc6 -%patch -P 21 -p1 -b .CVE-2024-23184 -%patch -P 22 -p1 -b .CVE-2024-23185 -%patch -P 23 -p1 -b .test-socket-path -%patch -P 24 -p1 -b .cve-2026-27858 -%patch -P 25 -p1 -b .cve-2025-59032 -%patch -P 26 -p1 -b .cve-2026-27857p1of5 -%patch -P 27 -p1 -b .cve-2026-27857p2of5 -%patch -P 28 -p1 -b .cve-2026-27857p3of5 -%patch -P 29 -p1 -b .cve-2026-27857p4of5 -%patch -P 30 -p1 -b .cve-2026-27857p5of5 +%patch -P 15 -p1 -b .bigkey +%patch -P 16 -p1 -b .opensslhmac +%patch -P 17 -p1 -b .fixvalcond +%patch -P 18 -p1 -b .valbasherr +%patch -P 20 -p1 -b .opensslv3 +%patch -P 21 -p1 -b .7bad6a24 +%patch -P 22 -p1 -b .c99 +%patch -P 23 -p1 -b .nolibotp +%patch -P 24 -p1 -b .noengine +%patch -P 25 -p1 -b .ph_optglob +%patch -P 26 -p1 -b .ph_scriptcmp +%patch -P 27 -p1 -b .test-socket-path +%patch -P 28 -p1 -b .CVE-2024-23184 +%patch -P 29 -p1 -b .CVE-2024-23185 +%patch -P 30 -p1 -b .cve-2026-27858 +%patch -P 31 -p1 -b .cve-2025-59032 +%patch -P 32 -p1 -b .cve-2026-27857p1of5 +%patch -P 33 -p1 -b .cve-2026-27857p2of5 +%patch -P 34 -p1 -b .cve-2026-27857p3of5 +%patch -P 35 -p1 -b .cve-2026-27857p4of5 +%patch -P 36 -p1 -b .cve-2026-27857p5of5 +cp run-test-valgrind.supp dovecot-pigeonhole/ +# valgrind would fail with shell wrapper +echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude +#pushd dovecot-pigeonhole +#popd +%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in +%endif + + +# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +rm -rf src/lib-otp %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" -# el6 autoconf too old to regen; use packaged files (#1082384) -%if %{?fedora}00%{?rhel} > 6 mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support -%endif %configure \ INSTALL_DATA="install -c -p -m644" \ --with-rundir=%{_rundir}/%{name} \ @@ -242,17 +240,29 @@ autoreconf -I . -fiv #required for aarch64 support --with-mysql \ --with-sqlite \ --with-zlib \ + --with-zstd \ --with-libcap \ + --with-icu \ +%if %{?rhel}0 == 0 + --with-lua=plugin \ +%endif +%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 --with-lucene \ + --with-exttextcat \ +%else + --without-lucene \ + --without-exttextcat \ +%endif + --without-libstemmer \ --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ - --with-systemdsystemunitdir=%{_unitdir} \ - --with-docs + --with-docs \ + systemdsystemunitdir=%{_unitdir} sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf -make %{?_smp_mflags} +%make_build #pigeonhole pushd dovecot-pigeonhole @@ -267,13 +277,13 @@ pushd dovecot-pigeonhole --with-dovecot=../ \ --without-unfinished-features -make %{?_smp_mflags} +%make_build popd %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT +%make_install # move doc dir back to build dir so doc macro in files section can use it mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall @@ -282,17 +292,13 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/ %multilib_fix_c_header --file %{_includedir}/dovecot/config.h pushd dovecot-pigeonhole -make install DESTDIR=$RPM_BUILD_ROOT +%make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole popd -%if %{?fedora}00%{?rhel} < 6 -sed -i 's|password-auth|system-auth|' %{SOURCE2} -%endif - install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot #install man pages @@ -301,6 +307,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5 #install waitonline script install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript +install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.conf + # generate ghost .pem files mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/private @@ -309,14 +317,9 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf -%else -install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot -install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot -%endif -mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} +mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} # Install dovecot configuration and dovecot-openssl.cnf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d @@ -343,84 +346,72 @@ popd %pre #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid -getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot -getent passwd dovecot >/dev/null || \ -useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot +%sysusers_create_compat %{SOURCE16} -getent group dovenull >/dev/null || groupadd -r dovenull -getent passwd dovenull >/dev/null || \ -useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull +if [ -z "$LEAPP_IPU_IN_PROGRESS" ] +then + # during LEAPP upgrade, services are not running anyway -# do not let dovecot run during upgrade rhbz#134325 -if [ "$1" = "2" ]; then - rm -f %restart_flag -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 - /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: - /bin/systemctl stop %{name}.service >/dev/null 2>&1 -%else - /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||: - /sbin/service %{name} stop >/dev/null 2>&1 -%endif + # do not let dovecot run during upgrade rhbz#134325 + if [ "$1" = "2" ]; then + rm -f %restart_flag + /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: + /bin/systemctl stop %{name}.service >/dev/null 2>&1 + fi fi %post if [ $1 -eq 1 ] then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %systemd_post dovecot.service -%else - /sbin/chkconfig --add %{name} -%endif fi -install -d -m 0755 -g dovecot -d /var/run/dovecot -install -d -m 0755 -d /var/run/dovecot/empty -install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||: +install -d -m 0755 -g dovecot -d /run/dovecot +install -d -m 0755 -d /run/dovecot/empty +install -d -m 0750 -g dovenull -d /run/dovecot/login +install -d -m 0750 -g dovenull -d /run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||: %preun if [ $1 = 0 ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : -%else - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -%endif - rm -rf /var/run/dovecot + rm -rf /run/dovecot fi %postun -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%endif +if [ -z "$LEAPP_IPU_IN_PROGRESS" ] +then + # during LEAPP upgrade, services are not running anyway + /bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" -a -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 - /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif -rm -f %restart_flag + if [ "$1" -ge "1" -a -e %restart_flag ]; then + /bin/systemctl start dovecot.service >/dev/null 2>&1 || : + rm -f %restart_flag + fi fi %posttrans -# dovecot should be started again in %%postun, but it's not executed on reinstall -# if it was already started, restart_flag won't be here, so it's ok to test it again -if [ -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 + +if [ -z "$LEAPP_IPU_IN_PROGRESS" ] +then + # during LEAPP upgrade, services are not running anyway + + # dovecot should be started again in %%postun, but it's not executed on reinstall + # if it was already started, restart_flag won't be here, so it's ok to test it again + if [ -e %restart_flag ]; then /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif -rm -f %restart_flag + rm -f %restart_flag + fi fi %check +%ifnarch aarch64 +# some aarch64 tests timeout, skip for now make check cd dovecot-pigeonhole make check +%endif %files %doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README @@ -432,15 +423,11 @@ make check %{_bindir}/dovecot-sysreport -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %_tmpfilesdir/dovecot.conf +%{_sysusersdir}/dovecot.conf %{_unitdir}/dovecot.service %{_unitdir}/dovecot-init.service %{_unitdir}/dovecot.socket -%else -%{_initddir}/dovecot -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot -%endif %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d @@ -492,6 +479,9 @@ make check %{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so %{_libdir}/dovecot/auth/libauthdb_imap.so %{_libdir}/dovecot/auth/libauthdb_ldap.so +%if %{?rhel}0 == 0 +%{_libdir}/dovecot/auth/libauthdb_lua.so +%endif %{_libdir}/dovecot/auth/libmech_gssapi.so %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so @@ -511,10 +501,10 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%dir %attr(0755,root,dovecot) %ghost /var/run/dovecot -%attr(0750,root,dovenull) %ghost /var/run/dovecot/login -%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login -%attr(0755,root,root) %ghost /var/run/dovecot/empty +%dir %attr(0755,root,dovecot) %ghost /run/dovecot +%attr(0750,root,dovenull) %ghost /run/dovecot/login +%attr(0750,root,dovenull) %ghost /run/dovecot/token-login +%attr(0755,root,root) %ghost /run/dovecot/empty %attr(0750,dovecot,dovecot) /var/lib/dovecot @@ -572,122 +562,346 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog -* Mon Apr 13 2026 Michal Hlavinka - 1:2.3.16-7 -- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161630) -- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282) -- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161669) +* Tue Apr 07 2026 Michal Hlavinka - 1:2.3.21-16.1 +- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161625) +- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162273) +- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161664) -* Tue Aug 20 2024 Michal Hlavinka - 1:2.3.16-6 -- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219) -- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206) +* Wed Feb 05 2025 Michal Hlavinka - 1:2.3.21-16 +- fix sysusers config file name (RHEL-77323) -* Fri Feb 16 2024 Michal Hlavinka - 1:2.3.16-5 -- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854) +* Tue Oct 29 2024 Troy Dawson - 1:2.3.21-15 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Fri Aug 04 2023 Michal Hlavinka - 1:2.3.16-4 -- fix leaking mailboxes if virtual mailbox can't be opened (#2128857) +* Tue Aug 20 2024 Michal Hlavinka - 1:2.3.21-14 +- fix CVE-2024-23185: very large headers can cause resource exhaustion + when parsing message (RHEL-55218) +- fix CVE-2024-23184: using a large number of address headers may trigger + a denial of service (RHEL-55205) -* Tue Jul 19 2022 Michal Hlavinka - 1:2.3.16-3 -- fix possible privilege escalation when similar master and non-master passdbs are used (#2106231) +* Mon Aug 05 2024 Michal Hlavinka - 1:2.3.21-13 +- fix crash when user has sieve script that includes two missing scripts (RHEL-52541) -* Wed Dec 08 2021 Michal Hlavinka - 1:2.3.16-2 -- do not disable xz/lzma for now despite being deprecated +* Tue Jul 23 2024 Michal Hlavinka - 1:2.3.21-12 +- fix building with noengine openssl -* Wed Dec 08 2021 Michal Hlavinka - 1:2.3.16-1 +* Mon Jun 24 2024 Troy Dawson - 1:2.3.21-11 +- Bump release for June 2024 mass rebuild + +* Tue Jun 18 2024 Michal Hlavinka - 1:2.3.21-10 +- set min uid to 1000 + +* Thu Jun 13 2024 Michal Hlavinka - 1:2.3.21-9 +- do not run during systemd commands during leap upgrade + +* Tue Jun 11 2024 Michal Hlavinka - 1:2.3.21-8 +- drop dependency on libstemmer (#RHEL-40657) + +* Mon May 13 2024 Michal Hlavinka - 1:2.3.21-7 +- do not use deprecated openssl v3 engine api (#RHEL-33733) + +* Wed Jan 31 2024 Pete Walter - 1:2.3.21-6 +- Rebuild for ICU 74 + +* Wed Jan 24 2024 Fedora Release Engineering - 1:2.3.21-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 1:2.3.21-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Oct 24 2023 Michal Hlavinka - 1:2.3.21-3 +- drop lucene to reduce dependency, use solr for fts instead + +* Thu Oct 05 2023 Remi Collet - 1:2.3.21-2 +- rebuild for new libsodium + +* Mon Sep 18 2023 Michal Hlavinka - 1:2.3.21-1 +- updated to 2.3.21(2239134) + +* Wed Jul 19 2023 Fedora Release Engineering - 1:2.3.20-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jul 11 2023 František Zatloukal - 1:2.3.20-5 +- Rebuilt for ICU 73.2 + +* Wed Apr 26 2023 Michal Hlavinka - 1:2.3.20-4 +- update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 + +* Tue Feb 14 2023 Michal Hlavinka - 1:2.3.20-3 +- drop SHA1 OTP + +* Thu Jan 19 2023 Fedora Release Engineering - 1:2.3.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 02 2023 Michal Hlavinka - 1:2.3.20-1 +- updated to 2.3.20, pigeonhole to 0.5.20 + +* Mon Jan 02 2023 Florian Weimer - 1:2.3.19.1-8 +- Port configure script to C99 + +* Sat Dec 31 2022 Pete Walter - 1:2.3.19.1-7 +- Rebuild for ICU 72 + +* Tue Nov 08 2022 Michal Hlavinka - 1:2.3.19.1-6 +- use Wants=network-online.target instead of preexec nm-online (#2095949) + +* Tue Oct 11 2022 Michal Hlavinka - 1:2.3.19.1-5 +- build with lua support (#2132420) + +* Mon Aug 01 2022 Frantisek Zatloukal - 1:2.3.19.1-4 +- Rebuilt for ICU 71.1 + +* Thu Jul 21 2022 Fedora Release Engineering - 1:2.3.19.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jul 12 2022 Michal Hlavinka - 1:2.3.19.1-2 +- fix possible privilege escalation when similar master and non-master passdbs are used + +* Mon Jun 20 2022 Michal Hlavinka - 1:2.3.19.1-1 +- updated to 2.3.19.1 + +* Mon May 30 2022 Michal Hlavinka - 1:2.3.19-1 +- updated to 2.3.19, pigeonhole to 0.5.19 + +* Wed Feb 09 2022 Michal Hlavinka - 1:2.3.18-1 +- updated to 2.3.18, pigeonhole to 0.5.18 + +* Thu Jan 20 2022 Fedora Release Engineering - 1:2.3.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Dec 07 2021 Michal Hlavinka - 1:2.3.17.1-1 +- dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1 +- dsync: Add back accidentically removed parameters. +- lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error + without errno. +- dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large. + +* Tue Nov 02 2021 Michal Hlavinka - 1:2.3.17-1 +- dovecot updated to 2.3.17, pigeonhole to 0.5.17 + +* Tue Sep 28 2021 Michal Hlavinka - 1:2.3.16-4 +- reenable LTO + +* Mon Sep 27 2021 Michal Hlavinka - 1:2.3.16-3 +- fix OpenSSLv3 issues 2005884 + +* Tue Sep 14 2021 Sahana Prasad - 1:2.3.16-2 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Aug 20 2021 Michal Hlavinka - 1:2.3.16-1 - dovecot updated to 2.3.16, pigeonhole to 0.5.16 -- fix CVE-2021-33515 plaintext commands injection (#1980014) +- fixes several regressions -* Wed Feb 03 2021 Michal Hlavinka - 1:2.3.8-9 -- fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534) +* Wed Jul 21 2021 Fedora Release Engineering - 1:2.3.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Tue Jan 12 2021 Michal Hlavinka - 1:2.3.8-8 -- fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019) +* Mon Jun 21 2021 Michal Hlavinka - 1:2.3.15-1 +- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 +- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in + JWT tokens. This may be used to supply attacker controlled keys to + validate tokens, if attacker has local access. +- CVE-2021-33515: On-path attacker could have injected plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. +- Add TSLv1.3 support to min_protocols. +- Allow configuring ssl_cipher_suites. (for TLSv1.3+) -* Thu Jan 07 2021 Michal Hlavinka - 1:2.3.8-7 -- change run directory from /var/run to /run (#1805947) +* Wed May 19 2021 Pete Walter - 1:2.3.14-4 +- Rebuild for ICU 69 -* Wed Dec 02 2020 Michal Hlavinka - 1:2.3.8-6 -- fix mail storage block count parsing (#1894418) -- MIME parser crashed when boundaries were wrong (#1888111) +* Wed May 19 2021 Pete Walter - 1:2.3.14-3 +- Rebuild for ICU 69 -* Mon Nov 02 2020 Michal Hlavinka - 1:2.3.8-5 -- multilib compatibility (#1853137) +* Mon May 10 2021 Jeff Law - 1:2.3.14-2 +- Re-enable LTO -* Fri Aug 07 2020 Michal Hlavinka - 1:2.3.8-4 -- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756) -- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761) -- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768) +* Mon Mar 22 2021 Michal Hlavinka - 1:2.3.14-1 +- dovecot updated to 2.3.14, pigeonhole to 0.5.14 +- use OpenSSL's implementation of HMAC +- Remove autocreate, expire, snarf and mail-filter plugins. +- Remove cydir storage driver. +- Remove XZ/LZMA write support. Read support will be removed in future release. -* Mon Jun 01 2020 Michal Hlavinka - 1:2.3.8-3 -- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354) -- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines - leads to use-after-free (#1840357) -- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart - leads to DoS (#1840356) +* Mon Feb 08 2021 Pavel Raiskup - 1:2.3.13-7 +- rebuild for libpq ABI fix rhbz#1908268 -* Thu Jan 09 2020 Michal Hlavinka - 1:2.3.8-2 -- fix default attributes for ghost files +* Mon Feb 01 2021 Michal Hlavinka - 1:2.3.13-6 +- use make macros -* Tue Nov 19 2019 Michal Hlavinka - 1:2.3.8-1 -- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117) +* Tue Jan 26 2021 Fedora Release Engineering - 1:2.3.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Thu Aug 29 2019 Michal Hlavinka - 1:2.2.36-10 -- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte +* Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-4 +- fix multilib issues + +* Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-3 +- bump release and rebuild + +* Thu Jan 07 2021 Michal Hlavinka - 1:2.3.13-2 +- fix rundir location + +* Wed Jan 06 2021 Michal Hlavinka - 1:2.3.13-1 +- fix release number + +* Mon Jan 04 2021 Michal Hlavinka - 1:2.3.13-0 +- dovecot updated to 2.3.13, pigeonhole to 0.5.13 +- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to + allow logged in user to access other people's emails and filesystem + information. +- Metric filter and global event filter variable syntax changed to a + SQL-like format. +- auth: Added new aliases for %{variables}. Usage of the old ones is + possible, but discouraged. +- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth + mechanism and related password schemes. +- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. +- auth: Removed postfix postmap socket + +* Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 +- change run directory from /var/run to /run (#1777922) + +* Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-6 +- use bigger default key size (#1882939) + +* Wed Sep 02 2020 Michal Hlavinka - 1:2.3.11.3-5 +- fix gssapi issue + +* Wed Aug 26 2020 Michal Hlavinka - 1:2.3.11.3-4 +- fix FTBFS on 32bit systems + +* Mon Aug 17 2020 Jeff Law - 1:2.3.11.3-2 +- Disable LTO + +* Sat Aug 15 2020 Michal Hlavinka - 1:2.3.11.3-1 +- CVE-2020-12100: Parsing mails with a large number of MIME parts could + have resulted in excessive CPU usage or a crash due to running out of + stack memory. +- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check + message buffer size, which leads to reading past allocation which can + lead to crash. +- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an + address that has the empty quoted string as local-part causes the lmtp + service to crash. +- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts + zero-length message, which leads to assert-crash later on. + +* Sat Aug 01 2020 Fedora Release Engineering - 1:2.3.10.1-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 1:2.3.10.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 +- dovecot updated to 2.3.10.1 +- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 + +* Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 +- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 + +* Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 +- dovecot updated to 2.3.9.3 +- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS + submission-login and lmtp processes. +- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. + + +* Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 +- CVE-2019-19722: Mails with group addresses in From or To fields + caused crash in push notification drivers. + +* Wed Dec 04 2019 Michal Hlavinka - 1:2.3.9-1 +- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 + +* Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 +- dovecot updated to 2.3.8, pigeonhole 0.5.8 + +* Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 +- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 +- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap - memory writes (#1741788) + memory writes -* Fri Aug 23 2019 Michal Hlavinka - 1:2.2.36-9 -- reset errno before iterating through users (#1630410) +* Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 +- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 -* Mon Jun 17 2019 Michal Hlavinka - 1:2.2.36-8 -- fix CVE-2019-3814: improper certificate validation (#1674370) +* Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -* Fri Jun 14 2019 Michal Hlavinka - 1:2.2.36-7 -- do not print error message when restorecon is not present - during install (#1626395) -- change default config to use minimal UID = 1000 (#1630410) +* Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 +- disable gcc 9 stack reuse temporarily -* Mon Jun 10 2019 Michal Hlavinka - 1:2.2.36-6 -- use OpenSSl implementation of HMAC, disable CRAM-MD5 when FIPS is enabled (#1618749) +* Mon May 13 2019 Michal Hlavinka - 1:2.3.6-2 +- use /run instead of /var/run (#1706372) -* Tue Oct 16 2018 Michal Hlavinka - 1:2.2.36-5 -- make key not that bigger (#1618714) +* Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 +- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 -* Tue Oct 16 2018 Michal Hlavinka - 1:2.2.36-4 -- generated key was too small (#1618714) +* Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 +- dovecot updated to 2.3.5.2 +- fixes CVE-2019-10691: Trying to login with 8bit username containing + invalid UTF8 input causes auth process to crash if auth policy is enabled. -* Wed Sep 19 2018 Michal Hlavinka - 1:2.2.36-3 -- fix global ACL directory configuration search path (#1630383) -- update first/last_valid_gid range patch (#1630410) +* Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 +- dovecot updated to 2.3.5.1 +- CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. -* Mon Jul 30 2018 Michal Hlavinka - 1:2.2.36-2 -- fix defaut permissions of gost run files +* Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 +- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 -* Thu Jun 28 2018 Michal Hlavinka - 1:2.2.36-1 -- dovecot updated to 2.2.36, pigeonhole to 0.4.24 +* Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild -* Thu May 24 2018 Michal Hlavinka - 1:2.2.35-3 -- disable tcp_wrappers as it's not available in rhel8 +* Mon Jan 14 2019 Björn Esser - 1:2.3.4-2 +- Rebuilt for libcrypt.so.2 (#1666033) -* Thu Apr 19 2018 Michal Hlavinka - 1:2.2.35-2 -- include crypt.h explicitely +* Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 +- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 -* Wed Mar 21 2018 Michal Hlavinka - 1:2.2.35-1 -- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 +- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 +- doveconf hides more secrets now in the default output +- NUL bytes in mail headers can cause truncated replies when fetched. +- virtual plugin: Some searches used 100% CPU for many seconds +- dsync assert-crashed with acl plugin in some situations. +- imapc: Fixed various assert-crashes when reconnecting to server. -* Thu Mar 01 2018 Michal Hlavinka - 1:2.2.34-1 -- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 -- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive - memory usage, causing imap-login/pop3-login VSZ limit to be reached - and the process restarted. This happens only if Dovecot config has - local_name { } or local { } configuration blocks and attacker uses - randomly generated SNI servernames. -- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or - leak memory contents to attacker. For example, these memory contents - might contain parts of an email from another user if the same imap - process is reused for multiple users. -- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login - process. + +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.2.1-4 +- fix dovecot-init service syntax error (#1635017) + +* Mon Aug 13 2018 Michal Hlavinka - 1:2.3.2.1-3 +- do not try to generate ssl-params as its obsolete (#1614640) + +* Thu Jul 12 2018 Fedora Release Engineering - 1:2.3.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 10 2018 Michal Hlavinka - 1:2.3.2.1-1 +- SSL/TLS servers may have crashed during client disconnection + +* Mon Jul 09 2018 Michal Hlavinka - 1:2.3.2-1 +- dovecot updated to 2.3.2, pigeonhole to 0.5.2 + +* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-2 +- fix ftbfs - murmurhash3 check fail + +* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-1 +- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1 + +* Tue Mar 27 2018 Michal Hlavinka - 1:2.3.0.1-3 +- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520) + +* Wed Mar 07 2018 Michal Hlavinka - 1:2.3.0.1-2 +- add gcc buildrequire + +* Thu Mar 01 2018 Michal Hlavinka - 1:2.3.0.1-1 +- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1 * Fri Feb 09 2018 Igor Gnatenko - 1:2.2.33.2-5 - Escape macros in %%changelog diff --git a/SOURCES/dovecot.sysconfig b/dovecot.sysconfig similarity index 100% rename from SOURCES/dovecot.sysconfig rename to dovecot.sysconfig diff --git a/dovecot.sysusers b/dovecot.sysusers new file mode 100644 index 0000000..c286ee4 --- /dev/null +++ b/dovecot.sysusers @@ -0,0 +1,9 @@ +#Type Name ID GECOS Home directory Shell +g dovecot 97 +u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin +m dovecot dovecot + +g dovenull - +u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin +m dovenull dovenull + diff --git a/SOURCES/dovecot.tmpfilesd b/dovecot.tmpfilesd similarity index 100% rename from SOURCES/dovecot.tmpfilesd rename to dovecot.tmpfilesd diff --git a/SOURCES/prestartscript b/prestartscript old mode 100644 new mode 100755 similarity index 100% rename from SOURCES/prestartscript rename to prestartscript diff --git a/sources b/sources new file mode 100644 index 0000000..adcf5fb --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (dovecot-2.3-pigeonhole-0.5.21.tar.gz) = 5537444025a474ee1b79919a424e24530695aec639361c531257f25fac286673719d476906d99d47e348deb57baa75419bff7dd284c82d2b751334dedec96314 +SHA512 (dovecot-2.3.21.tar.gz) = 2d463c38639c3fd3d617ee5b1a4e4d0c11362339c4d4d62a5a90164a8b10bc58919545679bbf379139bdb743fdb013033abfddc1fc6401eb8099463cdc2401ca