Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/dovecot.git#e1b1e2910c24597e944961e71806d71f60f16b2d
2021-01-06 12:21:51 +00:00 · 2021-01-06 12:21:51 +00:00 · b0939d59a8
parent 68b9de8c8e
commit b0939d59a8
6 changed files with 60 additions and 62 deletions
--- a/dovecot-2.3.11.3-ftbfs1.patch
+++ b/dovecot-2.3.11.3-ftbfs1.patch
@ -1,15 +0,0 @@
-diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
-index cf05370035..0a030a2be0 100644
--- a/src/auth/test-mech.c
-+++ b/src/auth/test-mech.c
-@@ -196,8 +196,8 @@ test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_
- {
- 	string_t *apop_challenge = t_str_new(128);
- 
-	str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(),
-		    connect_uid, process_start_time+10);
-+	str_printfa(apop_challenge,"<%lx.%lx.%"PRIxTIME_T".", (unsigned long)getpid(),
-+		    (unsigned long)connect_uid, process_start_time+10);
- 	str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26);
- 	*len_r = apop_challenge->used;
- 	return apop_challenge->data;
--- a/dovecot-2.3.11.3-ftbfs2.patch
+++ b/dovecot-2.3.11.3-ftbfs2.patch
@ -1,22 +0,0 @@
-diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
-index 0a030a2be0..0a22ff46d0 100644
--- a/src/auth/test-mech.c
-+++ b/src/auth/test-mech.c
-@@ -192,7 +192,7 @@ static void test_mech_handle_challenge(struct auth_request *request,
- }
- 
- static inline const unsigned char *
-test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r)
-+test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r)
- {
- 	string_t *apop_challenge = t_str_new(128);
- 
-@@ -323,7 +323,7 @@ static void test_mechs(void)
- 		struct test_case *test_case = &tests[running_test];
- 		const struct mech_module *mech = test_case->mech;
- 		struct auth_request *request;
-		const char *testname = t_strdup_printf("auth mech %s %d/%lu",
-+		const char *testname = t_strdup_printf("auth mech %s %d/%zu",
- 						       mech->mech_name,
- 						       running_test+1,
- 						       N_ELEMENTS(tests));
--- a/dovecot-2.3.11.3-gssapi.patch
+++ b/dovecot-2.3.11.3-gssapi.patch
@ -1,13 +0,0 @@
-diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
-index f29e48da88..966273d388 100644
--- a/src/auth/mech-gssapi.c
-+++ b/src/auth/mech-gssapi.c
-@@ -735,7 +735,7 @@ mech_gssapi_auth_free(struct auth_request *request)
- const struct mech_module mech_gssapi = {
- 	"GSSAPI",
- 
-	.flags = 0,
-+	.flags = MECH_SEC_ALLOW_NULS,
- 	.passdb_need = MECH_PASSDB_NEED_NOTHING,
- 
- 	mech_gssapi_auth_new,
--- a/dovecot-2.3.13-bigtvsec.patch
+++ b/dovecot-2.3.13-bigtvsec.patch
@ -0,0 +1,36 @@
+diff -up dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec dovecot-2.3.13/src/lib/test-time-util.c
+--- dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec	2021-01-06 11:27:06.793315308 +0100
+++ dovecot-2.3.13/src/lib/test-time-util.c	2021-01-06 11:27:06.815315088 +0100
+@@ -358,7 +358,7 @@ static void test_str_to_timeval(void)
+ {
+ 	struct {
+ 		const char *str;
+-		unsigned int tv_sec, tv_usec;
+		long int tv_sec, tv_usec;
+ 	} tests[] = {
+ 		{ "0", 0, 0 },
+ 		{ "0.0", 0, 0 },
+diff -up dovecot-2.3.13/src/lib/time-util.c.bigtvsec dovecot-2.3.13/src/lib/time-util.c
+--- dovecot-2.3.13/src/lib/time-util.c.bigtvsec	2021-01-06 11:10:49.791094852 +0100
+++ dovecot-2.3.13/src/lib/time-util.c	2021-01-06 11:10:08.255501319 +0100
+@@ -43,16 +43,16 @@ int timeval_cmp_margin(const struct time
+ 
+ 	if (tv1->tv_sec < tv2->tv_sec) {
+ 		sec_margin = ((int)usec_margin / 1000000) + 1;
+-		if ((tv2->tv_sec - tv1->tv_sec) > sec_margin)
+		if (((long long)tv2->tv_sec - tv1->tv_sec) > sec_margin)
+ 			return -1;
+-		usecs_diff = (tv2->tv_sec - tv1->tv_sec) * 1000000LL +
+		usecs_diff = ((long long)tv2->tv_sec - tv1->tv_sec) * 1000000LL +
+ 			(tv2->tv_usec - tv1->tv_usec);
+ 		ret = -1;
+ 	} else if (tv1->tv_sec > tv2->tv_sec) {
+ 		sec_margin = ((int)usec_margin / 1000000) + 1;
+-		if ((tv1->tv_sec - tv2->tv_sec) > sec_margin)
+		if (((long long)tv1->tv_sec - tv2->tv_sec) > sec_margin)
+ 			return 1;
+-		usecs_diff = (tv1->tv_sec - tv2->tv_sec) * 1000000LL +
+		usecs_diff = ((long long)tv1->tv_sec - tv2->tv_sec) * 1000000LL +
+ 			(tv1->tv_usec - tv2->tv_usec);
+ 		ret = 1;
+ 	} else if (tv1->tv_usec < tv2->tv_usec) {
--- a/dovecot.spec
+++ b/dovecot.spec
@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.11.3
+Version: 2.3.13
 %global prever %{nil}
-Release: 7%{?dist}
+Release: %{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2

@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.11
+%global pigeonholever 0.5.13
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@ -32,10 +32,8 @@ Patch6: dovecot-2.1.10-waitonline.patch
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
 Patch10: dovecot-2.3.0.1-libxcrypt.patch
-Patch12: dovecot-2.3.11.3-ftbfs1.patch
-Patch13: dovecot-2.3.11.3-ftbfs2.patch
-Patch14: dovecot-2.3.11.3-gssapi.patch
 Patch15: dovecot-2.3.11-bigkey.patch
+Patch16: dovecot-2.3.13-bigtvsec.patch

 Source15: prestartscript

@ -121,10 +119,11 @@ This package provides the development files for dovecot.
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
 #%patch10 -p1 -b .libxcrypt
-%patch12 -p1 -b .ftbfs1
-%patch13 -p1 -b .ftbfs2
-%patch14 -p1 -b .gssapi
+#patch12 -p1 -b .ftbfs1
+#patch13 -p1 -b .ftbfs2
+#patch14 -p1 -b .gssapi
 %patch15 -p1 -b .bigkey
+%patch16 -p1 -b .bigtvsec

 #pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 #popd
@ -346,7 +345,6 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext
-%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext

 %config(noreplace) %{_sysconfdir}/pam.d/dovecot
 %config(noreplace) %{ssldir}/dovecot-openssl.cnf
@ -449,6 +447,20 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
+* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:
+- dovecot updated to 2.3.13, pigeonhole to 0.5.13
+- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
+  allow logged in user to access other people's emails and filesystem
+  information.
+- Metric filter and global event filter variable syntax changed to a
+  SQL-like format. 
+- auth: Added new aliases for %{variables}. Usage of the old ones is
+  possible, but discouraged.
+- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
+  mechanism and related password schemes.
+- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
+- auth: Removed postfix postmap socket
+
 * Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
 - change run directory from /var/run to /run (#1777922)

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb
-SHA512 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d
+SHA512 (dovecot-2.3.13.tar.gz) = 758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95
+SHA512 (dovecot-2.3-pigeonhole-0.5.13.tar.gz) = fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3