fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161630)

fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282)
fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161669)
Resolves: RHEL-161630
This commit is contained in:
Michal Hlavinka 2026-04-13 14:00:50 +02:00
parent b1625d6f1d
commit b199fd1c0d
9 changed files with 653 additions and 44 deletions

View File

@ -0,0 +1,20 @@
diff --git a/dovecot-pigeonhole/src/managesieve-login/client.c b/dovecot-pigeonhole/src/managesieve-login/client.c
index 3b2492ca..2ad47b4c 100644
--- a/dovecot-pigeonhole/src/managesieve-login/client.c
+++ b/dovecot-pigeonhole/src/managesieve-login/client.c
@@ -345,10 +345,12 @@ static bool managesieve_client_input_next_cmd(struct client *client)
if ( args[0].type != MANAGESIEVE_ARG_EOL )
ret = -1;
}
- }
- if (ret > 0) {
+ if (ret > 0)
+ ret = client->cmd->func(client, args);
+ } else {
+ /* Continue unfinished command */
i_assert(client->cmd != NULL);
- ret = client->cmd->func(client, args);
+ ret = client->cmd->func(client, NULL);
}
if (ret != 0)

View File

@ -0,0 +1,257 @@
diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index c761f91d6e..84e6a90db4 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -379,7 +379,7 @@ static void imap_client_create(struct cl
imap_client->parser =
imap_parser_create(imap_client->common.input,
imap_client->common.output,
- IMAP_LOGIN_MAX_LINE_LENGTH);
+ IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
if (imap_client->set->imap_literal_minus)
imap_parser_enable_literal_minus(imap_client->parser);
client->io = io_add_istream(client->input, client_input, client);
@@ -473,7 +473,7 @@ static void imap_client_starttls(struct client *client)
imap_client->parser =
imap_parser_create(imap_client->common.input,
imap_client->common.output,
- IMAP_LOGIN_MAX_LINE_LENGTH);
+ IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
/* CRLF is lost from buffer when streams are reopened. */
imap_client->skip_line = FALSE;
diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c
index 24b365dc0c..be2097f70b 100644
--- a/src/imap-login/imap-login-cmd-id.c
+++ b/src/imap-login/imap-login-cmd-id.c
@@ -391,7 +391,8 @@ int cmd_id(struct imap_client *client)
client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
id->parser = imap_parser_create(client->common.input,
client->common.output,
- IMAP_LOGIN_MAX_LINE_LENGTH);
+ IMAP_LOGIN_MAX_LINE_LENGTH,
+ NULL);
if (client->set->imap_literal_minus)
imap_parser_enable_literal_minus(id->parser);
parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST;
diff --git a/src/imap/cmd-append.c b/src/imap/cmd-append.c
index 8e1dec27e6..18f16fc119 100644
--- a/src/imap/cmd-append.c
+++ b/src/imap/cmd-append.c
@@ -1202,7 +1202,8 @@ static bool cmd_append_full(struct client_command_context *cmd, bool replace)
o_stream_unset_flush_callback(client->output);
ctx->save_parser = imap_parser_create(client->input, client->output,
- client->set->imap_max_line_length);
+ client->set->imap_max_line_length,
+ NULL);
if (client->set->imap_literal_minus)
imap_parser_enable_literal_minus(ctx->save_parser);
diff --git a/src/imap/cmd-setmetadata.c b/src/imap/cmd-setmetadata.c
index 4278c8720e..686c72c984 100644
--- a/src/imap/cmd-setmetadata.c
+++ b/src/imap/cmd-setmetadata.c
@@ -289,7 +289,8 @@ cmd_setmetadata_start(struct imap_setmetadata_context *ctx)
asynchronously the same way as APPEND does. */
client->input_lock = cmd;
ctx->parser = imap_parser_create(client->input, client->output,
- client->set->imap_max_line_length);
+ client->set->imap_max_line_length,
+ NULL);
if (client->set->imap_literal_minus)
imap_parser_enable_literal_minus(ctx->parser);
o_stream_unset_flush_callback(client->output);
diff --git a/src/imap/imap-client.c b/src/imap/imap-client.c
index 47709aa400..10a8968988 100644
--- a/src/imap/imap-client.c
+++ b/src/imap/imap-client.c
@@ -994,7 +994,8 @@ client_command_new(struct client *client)
} else {
cmd->parser =
imap_parser_create(client->input, client->output,
- client->set->imap_max_line_length);
+ client->set->imap_max_line_length,
+ NULL);
if (client->set->imap_literal_minus)
imap_parser_enable_literal_minus(cmd->parser);
}
diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c
index 17aa54c3b0..25dfd32499 100644
--- a/src/lib-imap-client/imapc-connection.c
+++ b/src/lib-imap-client/imapc-connection.c
@@ -1914,7 +1914,8 @@ static void imapc_connection_connect_next_ip(struct imapc_connection *conn)
o_stream_set_flush_callback(conn->output, imapc_connection_connected,
conn);
conn->parser = imap_parser_create(conn->input, NULL,
- conn->client->set.max_line_length);
+ conn->client->set.max_line_length,
+ NULL);
conn->to = timeout_add(conn->client->set.connect_timeout_msecs,
imapc_connection_timeout, conn);
conn->to_output = timeout_add(conn->client->set.max_idle_time*1000,
diff --git a/src/lib-imap-storage/imap-msgpart.c b/src/lib-imap-storage/imap-msgpart.c
index 0442a345b4..3c0bbf5a81 100644
--- a/src/lib-imap-storage/imap-msgpart.c
+++ b/src/lib-imap-storage/imap-msgpart.c
@@ -149,7 +149,7 @@ imap_msgpart_get_header_fields(pool_t pool, const char *header_list,
int result = 0;
input = i_stream_create_from_data(header_list, strlen(header_list));
- parser = imap_parser_create(input, NULL, SIZE_MAX);
+ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
if (imap_parser_finish_line(parser, 0, 0, &args) > 0 &&
imap_arg_get_list_full(args, &hdr_list, &list_count) &&
diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c
index e3d4b3b564..7910bbcee1 100644
--- a/src/lib-imap/imap-bodystructure.c
+++ b/src/lib-imap/imap-bodystructure.c
@@ -732,7 +732,7 @@ int imap_bodystructure_parse_full(const char *bodystructure,
input = i_stream_create_from_data(bodystructure, strlen(bodystructure));
(void)i_stream_read(input);
- parser = imap_parser_create(input, NULL, SIZE_MAX);
+ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
ret = imap_parser_finish_line(parser, 0,
IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
if (ret < 0) {
@@ -982,7 +982,7 @@ int imap_body_parse_from_bodystructure(const char *bodystructure,
input = i_stream_create_from_data(bodystructure, strlen(bodystructure));
(void)i_stream_read(input);
- parser = imap_parser_create(input, NULL, SIZE_MAX);
+ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
ret = imap_parser_finish_line(parser, 0, IMAP_PARSE_FLAG_NO_UNESCAPE |
IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
if (ret < 0) {
diff --git a/src/lib-imap/imap-envelope.c b/src/lib-imap/imap-envelope.c
index 395e189c70..2e305d7c42 100644
--- a/src/lib-imap/imap-envelope.c
+++ b/src/lib-imap/imap-envelope.c
@@ -225,7 +225,7 @@ bool imap_envelope_parse(const char *envelope,
input = i_stream_create_from_data(envelope, strlen(envelope));
(void)i_stream_read(input);
- parser = imap_parser_create(input, NULL, SIZE_MAX);
+ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
ret = imap_parser_finish_line(parser, 0,
IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
if (ret < 0) {
diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
index 643f80ceeb..532cb97dfb 100644
--- a/src/lib-imap/imap-parser.c
+++ b/src/lib-imap/imap-parser.c
@@ -69,7 +69,8 @@ struct imap_parser {
struct imap_parser *
imap_parser_create(struct istream *input, struct ostream *output,
- size_t max_line_size)
+ size_t max_line_size,
+ const struct imap_parser_params *params ATTR_UNUSED)
{
struct imap_parser *parser;
diff --git a/src/lib-imap/imap-parser.h b/src/lib-imap/imap-parser.h
index cd3748c00f..16ef2c7a34 100644
--- a/src/lib-imap/imap-parser.h
+++ b/src/lib-imap/imap-parser.h
@@ -38,6 +38,9 @@ enum imap_parser_error {
IMAP_PARSE_ERROR_LITERAL_TOO_BIG
};
+struct imap_parser_params {
+};
+
struct imap_parser;
/* Create new IMAP argument parser. output is used for sending command
@@ -53,7 +56,8 @@ struct imap_parser;
2 * max_line_size. */
struct imap_parser *
imap_parser_create(struct istream *input, struct ostream *output,
- size_t max_line_size) ATTR_NULL(2);
+ size_t max_line_size,
+ const struct imap_parser_params *params);
void imap_parser_ref(struct imap_parser *parser);
void imap_parser_unref(struct imap_parser **parser);
diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c
index 32f8d89dea..58c5863d67 100644
--- a/src/lib-imap/test-imap-parser.c
+++ b/src/lib-imap/test-imap-parser.c
@@ -16,7 +16,7 @@ static void test_imap_parser_crlf(void)
test_begin("imap parser crlf handling");
input = test_istream_create(test_input);
- parser = imap_parser_create(input, NULL, 1024);
+ parser = imap_parser_create(input, NULL, 1024, NULL);
/* must return -2 until LF is read */
for (i = 0; test_input[i] != '\n'; i++) {
@@ -60,7 +60,7 @@ static void test_imap_parser_partial_list(void)
test_begin("imap parser partial list");
input = test_istream_create(test_input);
- parser = imap_parser_create(input, NULL, 1024);
+ parser = imap_parser_create(input, NULL, 1024, NULL);
(void)i_stream_read(input);
test_assert(imap_parser_read_args(parser, 0,
@@ -128,7 +128,7 @@ static void test_imap_parser_read_tag_cmd(void)
if (tests[i].type != COMMAND) {
input = test_istream_create(tests[i].input);
test_assert(i_stream_read(input) > 0);
- parser = imap_parser_create(input, NULL, 1024);
+ parser = imap_parser_create(input, NULL, 1024, NULL);
ret = imap_parser_read_tag(parser, &atom);
test_assert_idx(ret == tests[i].ret, i);
test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i);
@@ -139,7 +139,7 @@ static void test_imap_parser_read_tag_cmd(void)
if (tests[i].type != TAG) {
input = test_istream_create(tests[i].input);
test_assert(i_stream_read(input) > 0);
- parser = imap_parser_create(input, NULL, 1024);
+ parser = imap_parser_create(input, NULL, 1024, NULL);
ret = imap_parser_read_command_name(parser, &atom);
test_assert_idx(ret == tests[i].ret, i);
test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i);
diff --git a/src/plugins/virtual/virtual-config.c b/src/plugins/virtual/virtual-config.c
index f448c81d7d..6ec5aa260e 100644
--- a/src/plugins/virtual/virtual-config.c
+++ b/src/plugins/virtual/virtual-config.c
@@ -54,7 +54,7 @@ virtual_search_args_parse(const string_t *rule, const char **error_r)
input = i_stream_create_from_data(str_data(rule), str_len(rule));
(void)i_stream_read(input);
- imap_parser = imap_parser_create(input, NULL, SIZE_MAX);
+ imap_parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
ret = imap_parser_finish_line(imap_parser, 0, 0, &args);
if (ret < 0) {
sargs = NULL;
diff --git a/src/lib-imap/imap-id.c b/src/lib-imap/imap-id.c
index f448c81d7d..6ec5aa260e 100644
--- a/src/lib-imap/imap-id.c
+++ b/src/lib-imap/imap-id.c
@@ -111,7 +111,7 @@ const char *imap_id_reply_generate(const
input = i_stream_create_from_data(settings, strlen(settings));
(void)i_stream_read(input);
- parser = imap_parser_create(input, NULL, SIZE_MAX);
+ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
if (imap_parser_finish_line(parser, 0, 0, &args) <= 0)
ret = "NIL";
else
diff --git a/src/director/director-test.c b/src/director/director-test.c
index f448c81d7d..6ec5aa260e 100644
--- a/src/director/director-test.c
+++ b/src/director/director-test.c
@@ -250,7 +250,7 @@ static void imap_client_create(int fd)
o_stream_set_no_error_handling(client->output, TRUE);
client->io = io_add(fd, IO_READ, imap_client_input, client);
client->parser =
- imap_parser_create(client->input, client->output, 4096);
+ imap_parser_create(client->input, client->output, 4096, NULL);
o_stream_nsend_str(client->output,
"* OK [CAPABILITY IMAP4rev1] director-test ready.\r\n");
DLLIST_PREPEND(&imap_clients, client);

View File

@ -0,0 +1,149 @@
diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
index 532cb97dfb..6212aed33d 100644
--- a/src/lib-imap/imap-parser.c
+++ b/src/lib-imap/imap-parser.c
@@ -39,6 +39,7 @@ struct imap_parser {
struct istream *input;
struct ostream *output;
size_t max_line_size;
+ unsigned int list_count_limit;
enum imap_parser_flags flags;
/* reset by imap_parser_reset(): */
@@ -46,6 +47,7 @@ struct imap_parser {
ARRAY_TYPE(imap_arg_list) root_list;
ARRAY_TYPE(imap_arg_list) *cur_list;
struct imap_arg *list_arg;
+ unsigned int list_count;
enum arg_parse_type cur_type;
size_t cur_pos; /* parser position in input buffer */
@@ -70,7 +72,7 @@ struct imap_parser {
struct imap_parser *
imap_parser_create(struct istream *input, struct ostream *output,
size_t max_line_size,
- const struct imap_parser_params *params ATTR_UNUSED)
+ const struct imap_parser_params *params)
{
struct imap_parser *parser;
@@ -81,6 +83,10 @@ imap_parser_create(struct istream *input, struct ostream *output,
parser->input = input;
parser->output = output;
parser->max_line_size = max_line_size;
+ if (params != NULL && params->list_count_limit > 0)
+ parser->list_count_limit = params->list_count_limit;
+ else
+ parser->list_count_limit = UINT_MAX;
p_array_init(&parser->root_list, parser->pool, LIST_INIT_COUNT);
parser->cur_list = &parser->root_list;
@@ -122,6 +128,7 @@ void imap_parser_reset(struct imap_parser *parser)
p_array_init(&parser->root_list, parser->pool, LIST_INIT_COUNT);
parser->cur_list = &parser->root_list;
parser->list_arg = NULL;
+ parser->list_count = 0;
parser->cur_type = ARG_PARSE_NONE;
parser->cur_pos = 0;
@@ -210,6 +217,12 @@ static bool imap_parser_close_list(struct imap_parser *parser)
parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX;
return FALSE;
}
+ if (parser->list_count >= parser->list_count_limit) {
+ parser->error_msg = "Too many '('";
+ parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX;
+ return FALSE;
+ }
+ parser->list_count++;
arg = imap_arg_create(parser);
arg->type = IMAP_ARG_EOL;
diff --git a/src/lib-imap/imap-parser.h b/src/lib-imap/imap-parser.h
index 16ef2c7a34..3832cc9b92 100644
--- a/src/lib-imap/imap-parser.h
+++ b/src/lib-imap/imap-parser.h
@@ -39,6 +39,12 @@ enum imap_parser_error {
};
struct imap_parser_params {
+ /* How many open lists ('(' chars) to allow before faililng the parsing.
+ 0 means unlimited. This is mainly used to prevent excessive memory
+ usage in imap-login process. In imap process there are many other
+ ways to increase memory usage, so we let the max_line_size be the
+ only limit. */
+ unsigned int list_count_limit;
};
struct imap_parser;
diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c
index 58c5863d67..0350ea7352 100644
--- a/src/lib-imap/test-imap-parser.c
+++ b/src/lib-imap/test-imap-parser.c
@@ -2,6 +2,7 @@
#include "lib.h"
#include "istream.h"
+#include "istream-chain.h"
#include "imap-parser.h"
#include "test-common.h"
@@ -79,6 +80,50 @@ static void test_imap_parser_partial_list(void)
test_end();
}
+static void test_imap_parser_list_limit(void)
+{
+ struct {
+ const char *input;
+ int ret;
+ } tests[] = {
+ { "(())\r\n", 1 },
+ { "((()))\r\n", -1 },
+ };
+ struct istream_chain *chain;
+ struct istream *chain_input;
+ struct imap_parser *parser;
+ const struct imap_arg *args;
+
+ test_begin("imap parser list limit");
+ struct imap_parser_params params = {
+ .list_count_limit = 2,
+ };
+
+ for (unsigned int i = 0; i < N_ELEMENTS(tests); i++) {
+ chain_input = i_stream_create_chain(&chain);
+ parser = imap_parser_create(chain_input, NULL, 1024, &params);
+
+ for (unsigned int j = 0; j < 2; j++) {
+ struct istream *input =
+ test_istream_create(tests[i].input);
+ i_stream_chain_append(chain, input);
+ i_stream_unref(&input);
+
+ (void)i_stream_read(chain_input);
+
+ test_assert_cmp(imap_parser_read_args(parser, 0, 0, &args), ==, tests[i].ret);
+ /* skip over CRLF */
+ i_stream_skip(chain_input, i_stream_get_data_size(chain_input));
+
+ /* make sure parser reset works */
+ imap_parser_reset(parser);
+ }
+ imap_parser_unref(&parser);
+ i_stream_destroy(&chain_input);
+ }
+ test_end();
+}
+
static void test_imap_parser_read_tag_cmd(void)
{
enum read_type {
@@ -205,6 +250,7 @@ int main(void)
static void (*const test_functions[])(void) = {
test_imap_parser_crlf,
test_imap_parser_partial_list,
+ test_imap_parser_list_limit,
test_imap_parser_read_tag_cmd,
NULL
};

View File

@ -0,0 +1,71 @@
diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index 84e6a90db4..93966b2d15 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -380,11 +380,14 @@ static int imap_client_create(struct client *client)
{
struct imap_client *imap_client = (struct imap_client *)client;
+ struct imap_parser_params params = {
+ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
+ };
imap_client->set = other_sets[0];
imap_client->parser =
imap_parser_create(imap_client->common.input,
imap_client->common.output,
- IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
+ IMAP_LOGIN_MAX_LINE_LENGTH, &params);
if (imap_client->set->imap_literal_minus)
imap_parser_enable_literal_minus(imap_client->parser);
client->io = io_add_istream(client->input, client_input, client);
@@ -469,11 +472,14 @@ static void imap_client_starttls(struct client *client)
{
struct imap_client *imap_client = (struct imap_client *)client;
+ struct imap_parser_params params = {
+ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
+ };
imap_parser_unref(&imap_client->parser);
imap_client->parser =
imap_parser_create(imap_client->common.input,
imap_client->common.output,
- IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
+ IMAP_LOGIN_MAX_LINE_LENGTH, &params);
/* CRLF is lost from buffer when streams are reopened. */
imap_client->skip_line = FALSE;
diff --git a/src/imap-login/imap-login-client.h b/src/imap-login/imap-login-client.h
index ffac6ec855..1ff88015b2 100644
--- a/src/imap-login/imap-login-client.h
+++ b/src/imap-login/imap-login-client.h
@@ -11,6 +11,10 @@
/* maximum length for IMAP command line. */
#define IMAP_LOGIN_MAX_LINE_LENGTH 8192
+/* Maximum number of '(' allowed in an IMAP command. Pre-login only uses
+ lists in the ID command. */
+#define IMAP_LOGIN_LIST_COUNT_LIMIT 1
+
enum imap_client_id_state {
IMAP_CLIENT_ID_STATE_LIST = 0,
IMAP_CLIENT_ID_STATE_KEY,
diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c
index be2097f70b..a07b1f8f56 100644
--- a/src/imap-login/imap-login-cmd-id.c
+++ b/src/imap-login/imap-login-cmd-id.c
@@ -389,10 +389,14 @@ int cmd_id(struct imap_client *client)
if (client->cmd_id == NULL) {
client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
+
+ struct imap_parser_params params = {
+ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
+ };
id->parser = imap_parser_create(client->common.input,
client->common.output,
IMAP_LOGIN_MAX_LINE_LENGTH,
- NULL);
+ &params);
if (client->set->imap_literal_minus)
imap_parser_enable_literal_minus(id->parser);
parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST;

View File

@ -0,0 +1,48 @@
diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index 93966b2d15..7e7578d4d4 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -380,7 +380,7 @@ static int imap_client_create(struct client *client)
{
struct imap_client *imap_client = (struct imap_client *)client;
- struct imap_parser_params params = {
+ const struct imap_parser_params params = {
.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
};
imap_client->set = other_sets[0];
@@ -415,7 +415,7 @@ static void imap_client_starttls(struct
{
struct imap_client *imap_client = (struct imap_client *)client;
- struct imap_parser_params params = {
+ const struct imap_parser_params params = {
.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
};
imap_parser_unref(&imap_client->parser);
diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c
index a07b1f8f56..da254a2923 100644
--- a/src/imap-login/imap-login-cmd-id.c
+++ b/src/imap-login/imap-login-cmd-id.c
@@ -390,7 +390,7 @@ int cmd_id(struct imap_client *client)
if (client->cmd_id == NULL) {
client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
- struct imap_parser_params params = {
+ const struct imap_parser_params params = {
.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
};
id->parser = imap_parser_create(client->common.input,
diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c
index 0350ea7352..fb7c308a23 100644
--- a/src/lib-imap/test-imap-parser.c
+++ b/src/lib-imap/test-imap-parser.c
@@ -95,7 +95,7 @@ static void test_imap_parser_list_limit(void)
const struct imap_arg *args;
test_begin("imap parser list limit");
- struct imap_parser_params params = {
+ const struct imap_parser_params params = {
.list_count_limit = 2,
};

View File

@ -0,0 +1,14 @@
diff --git a/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c b/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c
index 6965b511..33d6804c 100644
--- a/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c
+++ b/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c
@@ -379,7 +379,8 @@ bool cmd_filter_sieve(struct client_command_context *cmd)
asynchronously the same way as APPEND does. */
client->input_lock = cmd;
ctx->parser = imap_parser_create(client->input, client->output,
- client->set->imap_max_line_length);
+ client->set->imap_max_line_length,
+ NULL);
if (client->set->imap_literal_minus)
imap_parser_enable_literal_minus(ctx->parser);
o_stream_unset_flush_callback(client->output);

View File

@ -0,0 +1,17 @@
diff --git a/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c b/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c
index cd7739d0..354e6746 100644
--- a/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c
+++ b/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c
@@ -189,6 +189,11 @@ static int managesieve_client_auth_read_
if ( i_stream_get_size
(msieve_client->auth_response_input, FALSE, &resp_size) <= 0 )
resp_size = 0;
+ else if (resp_size > LOGIN_MAX_AUTH_BUF_SIZE) {
+ client_destroy(client,
+ "Authentication response too large");
+ return -1;
+ }
if (client->auth_response == NULL)
client->auth_response = str_new(default_pool, I_MAX(resp_size+1, 256));

View File

@ -8,10 +8,10 @@ Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug
src/lib-sieve/sieve-interpreter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib-sieve/sieve-interpreter.c b/src/lib-sieve/sieve-interpreter.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c
index 9ee6c659..274e142d 100644
--- a/src/lib-sieve/sieve-interpreter.c
+++ b/src/lib-sieve/sieve-interpreter.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c
@@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp,
}
e_debug(e->event(), "Finished running script `%s' "
@ -33,10 +33,10 @@ Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from
src/lib-sieve/sieve-result.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 55eb9f54..d3f2f925 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec)
}
@ -108,10 +108,10 @@ Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from
src/lib-sieve/sieve-result.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index d3f2f925..3cf2c02a 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
}
@ -162,10 +162,10 @@ Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status
src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 3cf2c02a..44afeef7 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -934,6 +934,7 @@ struct sieve_result_execution {
bool keep_success:1;
bool keep_explicit:1;
@ -243,10 +243,10 @@ Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status
src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++---------------
1 file changed, 33 insertions(+), 23 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 44afeef7..10cc3b95 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
@ -334,10 +334,10 @@ only be rolled back.
src/lib-sieve/sieve-result.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 10cc3b95..82354831 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
@ -358,10 +358,10 @@ Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource
src/lib-sieve/sieve-result.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 82354831..96582075 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
result_status = SIEVE_EXEC_FAILURE;
break;
@ -385,10 +385,10 @@ of delivery when the mail user is destroyed.
src/lib-sieve/sieve-result.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 96582075..10ea349c 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
@ -439,10 +439,10 @@ Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is
src/lib-sieve/sieve-result.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 10ea349c..de97d6ae 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
if (act_keep->def == NULL)
return rexec->keep_status;
@ -463,10 +463,10 @@ Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp
src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index de97d6ae..c21c8017 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
@ -528,10 +528,10 @@ Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in
src/lib-sieve/sieve-result.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index c21c8017..6f3cb954 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec,
}
@ -558,10 +558,10 @@ Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in
src/lib-sieve/sieve-result.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
index 6f3cb954..effd6f28 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
@@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback(
}

View File

@ -5,7 +5,7 @@ Name: dovecot
Epoch: 1
Version: 2.3.16
%global prever %{nil}
Release: 6%{?dist}
Release: 7%{?dist}
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT and LGPLv2
Group: System Environment/Daemons
@ -68,6 +68,26 @@ Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch
# fix test failing due to too long path with all the mock path prefixes
Patch23: dovecot-2.3.21-test-socket-path.patch
# from upstream for < 2.4.3, RHEL-161630
# https://github.com/dovecot/pigeonhole/commit/54f645225a8a7911d7e16e9d50f170d217b0be95
Patch24: dovecot-2.3-cve-2026-27858.patch
# from upstream for < 2.4.3, RHEL-162282
# https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c
Patch25: dovecot-2.3-cve-2025-59032.patch
# from upstream for < 2.4.3, RHEL-161669
# https://github.com/dovecot/core/commit/825bc297f87b856992aa14beac596ec838248210
Patch26: dovecot-2.3-cve-2026-27857p1of5.patch
# https://github.com/dovecot/core/commit/d0f67b52914565a35f3817335ab9633cb291513c
Patch27: dovecot-2.3-cve-2026-27857p2of5.patch
# https://github.com/dovecot/core/commit/af1fb4da5c1c5c458dc1d54dee3aefde6d3aa835
Patch28: dovecot-2.3-cve-2026-27857p3of5.patch
# https://github.com/dovecot/core/commit/3435e0d44c131eb1046a84fd83798f1e101b725e
Patch29: dovecot-2.3-cve-2026-27857p4of5.patch
# https://github.com/dovecot/pigeonhole/commit/5701db04455ee4d8e927d0b225634780a9b656b4
Patch30: dovecot-2.3-cve-2026-27857p5of5.patch
Source15: prestartscript
BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
@ -163,6 +183,10 @@ This package provides the development files for dovecot.
%prep
%setup -q -n %{name}-%{version}%{?prever} -a 8
# standardize name, so we don't have to update patches and scripts
mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
%patch -P 1 -p1 -b .default-settings
%patch -P 2 -p1 -b .mkcert-permissions
%patch -P 3 -p1 -b .mkcert-paths
@ -175,15 +199,19 @@ This package provides the development files for dovecot.
%patch -P 15 -p1 -b .ftbfsbigend
%patch -P 16 -p1 -b .keeplzma
%patch -P 17 -p1 -b .7bad6a24
%patch -P 18 -p1 -b .9f300239..4596d399
%patch -P 19 -p1 -b .bdf447e4
%patch -P 20 -p1 -b .d7705bc6
%patch -P 21 -p1 -b .CVE-2024-23184
%patch -P 22 -p1 -b .CVE-2024-23185
%patch -P 23 -p1 -b .test-socket-path
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
%patch -P 18 -p1 -b .9f300239..4596d399
popd
%patch -P 24 -p1 -b .cve-2026-27858
%patch -P 25 -p1 -b .cve-2025-59032
%patch -P 26 -p1 -b .cve-2026-27857p1of5
%patch -P 27 -p1 -b .cve-2026-27857p2of5
%patch -P 28 -p1 -b .cve-2026-27857p3of5
%patch -P 29 -p1 -b .cve-2026-27857p4of5
%patch -P 30 -p1 -b .cve-2026-27857p5of5
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
@ -227,7 +255,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10
make %{?_smp_mflags}
#pigeonhole
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
pushd dovecot-pigeonhole
# required for snapshot
[ -f configure ] || autoreconf -fiv
@ -253,7 +281,7 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
# fix multilib issues
%multilib_fix_c_header --file %{_includedir}/dovecot/config.h
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
pushd dovecot-pigeonhole
make install DESTDIR=$RPM_BUILD_ROOT
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
@ -391,7 +419,7 @@ fi
%check
make check
cd dovecot-2*3-pigeonhole-%{pigeonholever}
cd dovecot-pigeonhole
make check
%files
@ -544,6 +572,11 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog
* Mon Apr 13 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7
- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161630)
- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282)
- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161669)
* Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219)
- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206)