diff --git a/dovecot-2.3-cve-2025-59032.patch b/dovecot-2.3-cve-2025-59032.patch new file mode 100644 index 0000000..aff4b50 --- /dev/null +++ b/dovecot-2.3-cve-2025-59032.patch @@ -0,0 +1,20 @@ +diff --git a/dovecot-pigeonhole/src/managesieve-login/client.c b/dovecot-pigeonhole/src/managesieve-login/client.c +index 3b2492ca..2ad47b4c 100644 +--- a/dovecot-pigeonhole/src/managesieve-login/client.c ++++ b/dovecot-pigeonhole/src/managesieve-login/client.c +@@ -345,10 +345,12 @@ static bool managesieve_client_input_next_cmd(struct client *client) + if ( args[0].type != MANAGESIEVE_ARG_EOL ) + ret = -1; + } +- } +- if (ret > 0) { ++ if (ret > 0) ++ ret = client->cmd->func(client, args); ++ } else { ++ /* Continue unfinished command */ + i_assert(client->cmd != NULL); +- ret = client->cmd->func(client, args); ++ ret = client->cmd->func(client, NULL); + } + + if (ret != 0) diff --git a/dovecot-2.3-cve-2026-27857p1of5.patch b/dovecot-2.3-cve-2026-27857p1of5.patch new file mode 100644 index 0000000..6392a16 --- /dev/null +++ b/dovecot-2.3-cve-2026-27857p1of5.patch @@ -0,0 +1,257 @@ +diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c +index c761f91d6e..84e6a90db4 100644 +--- a/src/imap-login/imap-login-client.c ++++ b/src/imap-login/imap-login-client.c +@@ -379,7 +379,7 @@ static void imap_client_create(struct cl + imap_client->parser = + imap_parser_create(imap_client->common.input, + imap_client->common.output, +- IMAP_LOGIN_MAX_LINE_LENGTH); ++ IMAP_LOGIN_MAX_LINE_LENGTH, NULL); + if (imap_client->set->imap_literal_minus) + imap_parser_enable_literal_minus(imap_client->parser); + client->io = io_add_istream(client->input, client_input, client); +@@ -473,7 +473,7 @@ static void imap_client_starttls(struct client *client) + imap_client->parser = + imap_parser_create(imap_client->common.input, + imap_client->common.output, +- IMAP_LOGIN_MAX_LINE_LENGTH); ++ IMAP_LOGIN_MAX_LINE_LENGTH, NULL); + + /* CRLF is lost from buffer when streams are reopened. */ + imap_client->skip_line = FALSE; +diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c +index 24b365dc0c..be2097f70b 100644 +--- a/src/imap-login/imap-login-cmd-id.c ++++ b/src/imap-login/imap-login-cmd-id.c +@@ -391,7 +391,8 @@ int cmd_id(struct imap_client *client) + client->cmd_id = id = i_new(struct imap_client_cmd_id, 1); + id->parser = imap_parser_create(client->common.input, + client->common.output, +- IMAP_LOGIN_MAX_LINE_LENGTH); ++ IMAP_LOGIN_MAX_LINE_LENGTH, ++ NULL); + if (client->set->imap_literal_minus) + imap_parser_enable_literal_minus(id->parser); + parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST; +diff --git a/src/imap/cmd-append.c b/src/imap/cmd-append.c +index 8e1dec27e6..18f16fc119 100644 +--- a/src/imap/cmd-append.c ++++ b/src/imap/cmd-append.c +@@ -1202,7 +1202,8 @@ static bool cmd_append_full(struct client_command_context *cmd, bool replace) + o_stream_unset_flush_callback(client->output); + + ctx->save_parser = imap_parser_create(client->input, client->output, +- client->set->imap_max_line_length); ++ client->set->imap_max_line_length, ++ NULL); + if (client->set->imap_literal_minus) + imap_parser_enable_literal_minus(ctx->save_parser); + +diff --git a/src/imap/cmd-setmetadata.c b/src/imap/cmd-setmetadata.c +index 4278c8720e..686c72c984 100644 +--- a/src/imap/cmd-setmetadata.c ++++ b/src/imap/cmd-setmetadata.c +@@ -289,7 +289,8 @@ cmd_setmetadata_start(struct imap_setmetadata_context *ctx) + asynchronously the same way as APPEND does. */ + client->input_lock = cmd; + ctx->parser = imap_parser_create(client->input, client->output, +- client->set->imap_max_line_length); ++ client->set->imap_max_line_length, ++ NULL); + if (client->set->imap_literal_minus) + imap_parser_enable_literal_minus(ctx->parser); + o_stream_unset_flush_callback(client->output); +diff --git a/src/imap/imap-client.c b/src/imap/imap-client.c +index 47709aa400..10a8968988 100644 +--- a/src/imap/imap-client.c ++++ b/src/imap/imap-client.c +@@ -994,7 +994,8 @@ client_command_new(struct client *client) + } else { + cmd->parser = + imap_parser_create(client->input, client->output, +- client->set->imap_max_line_length); ++ client->set->imap_max_line_length, ++ NULL); + if (client->set->imap_literal_minus) + imap_parser_enable_literal_minus(cmd->parser); + } +diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c +index 17aa54c3b0..25dfd32499 100644 +--- a/src/lib-imap-client/imapc-connection.c ++++ b/src/lib-imap-client/imapc-connection.c +@@ -1914,7 +1914,8 @@ static void imapc_connection_connect_next_ip(struct imapc_connection *conn) + o_stream_set_flush_callback(conn->output, imapc_connection_connected, + conn); + conn->parser = imap_parser_create(conn->input, NULL, +- conn->client->set.max_line_length); ++ conn->client->set.max_line_length, ++ NULL); + conn->to = timeout_add(conn->client->set.connect_timeout_msecs, + imapc_connection_timeout, conn); + conn->to_output = timeout_add(conn->client->set.max_idle_time*1000, +diff --git a/src/lib-imap-storage/imap-msgpart.c b/src/lib-imap-storage/imap-msgpart.c +index 0442a345b4..3c0bbf5a81 100644 +--- a/src/lib-imap-storage/imap-msgpart.c ++++ b/src/lib-imap-storage/imap-msgpart.c +@@ -149,7 +149,7 @@ imap_msgpart_get_header_fields(pool_t pool, const char *header_list, + int result = 0; + + input = i_stream_create_from_data(header_list, strlen(header_list)); +- parser = imap_parser_create(input, NULL, SIZE_MAX); ++ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL); + + if (imap_parser_finish_line(parser, 0, 0, &args) > 0 && + imap_arg_get_list_full(args, &hdr_list, &list_count) && +diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c +index e3d4b3b564..7910bbcee1 100644 +--- a/src/lib-imap/imap-bodystructure.c ++++ b/src/lib-imap/imap-bodystructure.c +@@ -732,7 +732,7 @@ int imap_bodystructure_parse_full(const char *bodystructure, + input = i_stream_create_from_data(bodystructure, strlen(bodystructure)); + (void)i_stream_read(input); + +- parser = imap_parser_create(input, NULL, SIZE_MAX); ++ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL); + ret = imap_parser_finish_line(parser, 0, + IMAP_PARSE_FLAG_LITERAL_TYPE, &args); + if (ret < 0) { +@@ -982,7 +982,7 @@ int imap_body_parse_from_bodystructure(const char *bodystructure, + input = i_stream_create_from_data(bodystructure, strlen(bodystructure)); + (void)i_stream_read(input); + +- parser = imap_parser_create(input, NULL, SIZE_MAX); ++ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL); + ret = imap_parser_finish_line(parser, 0, IMAP_PARSE_FLAG_NO_UNESCAPE | + IMAP_PARSE_FLAG_LITERAL_TYPE, &args); + if (ret < 0) { +diff --git a/src/lib-imap/imap-envelope.c b/src/lib-imap/imap-envelope.c +index 395e189c70..2e305d7c42 100644 +--- a/src/lib-imap/imap-envelope.c ++++ b/src/lib-imap/imap-envelope.c +@@ -225,7 +225,7 @@ bool imap_envelope_parse(const char *envelope, + input = i_stream_create_from_data(envelope, strlen(envelope)); + (void)i_stream_read(input); + +- parser = imap_parser_create(input, NULL, SIZE_MAX); ++ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL); + ret = imap_parser_finish_line(parser, 0, + IMAP_PARSE_FLAG_LITERAL_TYPE, &args); + if (ret < 0) { +diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c +index 643f80ceeb..532cb97dfb 100644 +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -69,7 +69,8 @@ struct imap_parser { + + struct imap_parser * + imap_parser_create(struct istream *input, struct ostream *output, +- size_t max_line_size) ++ size_t max_line_size, ++ const struct imap_parser_params *params ATTR_UNUSED) + { + struct imap_parser *parser; + +diff --git a/src/lib-imap/imap-parser.h b/src/lib-imap/imap-parser.h +index cd3748c00f..16ef2c7a34 100644 +--- a/src/lib-imap/imap-parser.h ++++ b/src/lib-imap/imap-parser.h +@@ -38,6 +38,9 @@ enum imap_parser_error { + IMAP_PARSE_ERROR_LITERAL_TOO_BIG + }; + ++struct imap_parser_params { ++}; ++ + struct imap_parser; + + /* Create new IMAP argument parser. output is used for sending command +@@ -53,7 +56,8 @@ struct imap_parser; + 2 * max_line_size. */ + struct imap_parser * + imap_parser_create(struct istream *input, struct ostream *output, +- size_t max_line_size) ATTR_NULL(2); ++ size_t max_line_size, ++ const struct imap_parser_params *params); + void imap_parser_ref(struct imap_parser *parser); + void imap_parser_unref(struct imap_parser **parser); + +diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c +index 32f8d89dea..58c5863d67 100644 +--- a/src/lib-imap/test-imap-parser.c ++++ b/src/lib-imap/test-imap-parser.c +@@ -16,7 +16,7 @@ static void test_imap_parser_crlf(void) + + test_begin("imap parser crlf handling"); + input = test_istream_create(test_input); +- parser = imap_parser_create(input, NULL, 1024); ++ parser = imap_parser_create(input, NULL, 1024, NULL); + + /* must return -2 until LF is read */ + for (i = 0; test_input[i] != '\n'; i++) { +@@ -60,7 +60,7 @@ static void test_imap_parser_partial_list(void) + + test_begin("imap parser partial list"); + input = test_istream_create(test_input); +- parser = imap_parser_create(input, NULL, 1024); ++ parser = imap_parser_create(input, NULL, 1024, NULL); + + (void)i_stream_read(input); + test_assert(imap_parser_read_args(parser, 0, +@@ -128,7 +128,7 @@ static void test_imap_parser_read_tag_cmd(void) + if (tests[i].type != COMMAND) { + input = test_istream_create(tests[i].input); + test_assert(i_stream_read(input) > 0); +- parser = imap_parser_create(input, NULL, 1024); ++ parser = imap_parser_create(input, NULL, 1024, NULL); + ret = imap_parser_read_tag(parser, &atom); + test_assert_idx(ret == tests[i].ret, i); + test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i); +@@ -139,7 +139,7 @@ static void test_imap_parser_read_tag_cmd(void) + if (tests[i].type != TAG) { + input = test_istream_create(tests[i].input); + test_assert(i_stream_read(input) > 0); +- parser = imap_parser_create(input, NULL, 1024); ++ parser = imap_parser_create(input, NULL, 1024, NULL); + ret = imap_parser_read_command_name(parser, &atom); + test_assert_idx(ret == tests[i].ret, i); + test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i); +diff --git a/src/plugins/virtual/virtual-config.c b/src/plugins/virtual/virtual-config.c +index f448c81d7d..6ec5aa260e 100644 +--- a/src/plugins/virtual/virtual-config.c ++++ b/src/plugins/virtual/virtual-config.c +@@ -54,7 +54,7 @@ virtual_search_args_parse(const string_t *rule, const char **error_r) + input = i_stream_create_from_data(str_data(rule), str_len(rule)); + (void)i_stream_read(input); + +- imap_parser = imap_parser_create(input, NULL, SIZE_MAX); ++ imap_parser = imap_parser_create(input, NULL, SIZE_MAX, NULL); + ret = imap_parser_finish_line(imap_parser, 0, 0, &args); + if (ret < 0) { + sargs = NULL; +diff --git a/src/lib-imap/imap-id.c b/src/lib-imap/imap-id.c +index f448c81d7d..6ec5aa260e 100644 +--- a/src/lib-imap/imap-id.c ++++ b/src/lib-imap/imap-id.c +@@ -111,7 +111,7 @@ const char *imap_id_reply_generate(const + input = i_stream_create_from_data(settings, strlen(settings)); + (void)i_stream_read(input); + +- parser = imap_parser_create(input, NULL, SIZE_MAX); ++ parser = imap_parser_create(input, NULL, SIZE_MAX, NULL); + if (imap_parser_finish_line(parser, 0, 0, &args) <= 0) + ret = "NIL"; + else +diff --git a/src/director/director-test.c b/src/director/director-test.c +index f448c81d7d..6ec5aa260e 100644 +--- a/src/director/director-test.c ++++ b/src/director/director-test.c +@@ -250,7 +250,7 @@ static void imap_client_create(int fd) + o_stream_set_no_error_handling(client->output, TRUE); + client->io = io_add(fd, IO_READ, imap_client_input, client); + client->parser = +- imap_parser_create(client->input, client->output, 4096); ++ imap_parser_create(client->input, client->output, 4096, NULL); + o_stream_nsend_str(client->output, + "* OK [CAPABILITY IMAP4rev1] director-test ready.\r\n"); + DLLIST_PREPEND(&imap_clients, client); diff --git a/dovecot-2.3-cve-2026-27857p2of5.patch b/dovecot-2.3-cve-2026-27857p2of5.patch new file mode 100644 index 0000000..1f70bf9 --- /dev/null +++ b/dovecot-2.3-cve-2026-27857p2of5.patch @@ -0,0 +1,149 @@ +diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c +index 532cb97dfb..6212aed33d 100644 +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -39,6 +39,7 @@ struct imap_parser { + struct istream *input; + struct ostream *output; + size_t max_line_size; ++ unsigned int list_count_limit; + enum imap_parser_flags flags; + + /* reset by imap_parser_reset(): */ +@@ -46,6 +47,7 @@ struct imap_parser { + ARRAY_TYPE(imap_arg_list) root_list; + ARRAY_TYPE(imap_arg_list) *cur_list; + struct imap_arg *list_arg; ++ unsigned int list_count; + + enum arg_parse_type cur_type; + size_t cur_pos; /* parser position in input buffer */ +@@ -70,7 +72,7 @@ struct imap_parser { + struct imap_parser * + imap_parser_create(struct istream *input, struct ostream *output, + size_t max_line_size, +- const struct imap_parser_params *params ATTR_UNUSED) ++ const struct imap_parser_params *params) + { + struct imap_parser *parser; + +@@ -81,6 +83,10 @@ imap_parser_create(struct istream *input, struct ostream *output, + parser->input = input; + parser->output = output; + parser->max_line_size = max_line_size; ++ if (params != NULL && params->list_count_limit > 0) ++ parser->list_count_limit = params->list_count_limit; ++ else ++ parser->list_count_limit = UINT_MAX; + + p_array_init(&parser->root_list, parser->pool, LIST_INIT_COUNT); + parser->cur_list = &parser->root_list; +@@ -122,6 +128,7 @@ void imap_parser_reset(struct imap_parser *parser) + p_array_init(&parser->root_list, parser->pool, LIST_INIT_COUNT); + parser->cur_list = &parser->root_list; + parser->list_arg = NULL; ++ parser->list_count = 0; + + parser->cur_type = ARG_PARSE_NONE; + parser->cur_pos = 0; +@@ -210,6 +217,12 @@ static bool imap_parser_close_list(struct imap_parser *parser) + parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; + return FALSE; + } ++ if (parser->list_count >= parser->list_count_limit) { ++ parser->error_msg = "Too many '('"; ++ parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; ++ return FALSE; ++ } ++ parser->list_count++; + + arg = imap_arg_create(parser); + arg->type = IMAP_ARG_EOL; +diff --git a/src/lib-imap/imap-parser.h b/src/lib-imap/imap-parser.h +index 16ef2c7a34..3832cc9b92 100644 +--- a/src/lib-imap/imap-parser.h ++++ b/src/lib-imap/imap-parser.h +@@ -39,6 +39,12 @@ enum imap_parser_error { + }; + + struct imap_parser_params { ++ /* How many open lists ('(' chars) to allow before faililng the parsing. ++ 0 means unlimited. This is mainly used to prevent excessive memory ++ usage in imap-login process. In imap process there are many other ++ ways to increase memory usage, so we let the max_line_size be the ++ only limit. */ ++ unsigned int list_count_limit; + }; + + struct imap_parser; +diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c +index 58c5863d67..0350ea7352 100644 +--- a/src/lib-imap/test-imap-parser.c ++++ b/src/lib-imap/test-imap-parser.c +@@ -2,6 +2,7 @@ + + #include "lib.h" + #include "istream.h" ++#include "istream-chain.h" + #include "imap-parser.h" + #include "test-common.h" + +@@ -79,6 +80,50 @@ static void test_imap_parser_partial_list(void) + test_end(); + } + ++static void test_imap_parser_list_limit(void) ++{ ++ struct { ++ const char *input; ++ int ret; ++ } tests[] = { ++ { "(())\r\n", 1 }, ++ { "((()))\r\n", -1 }, ++ }; ++ struct istream_chain *chain; ++ struct istream *chain_input; ++ struct imap_parser *parser; ++ const struct imap_arg *args; ++ ++ test_begin("imap parser list limit"); ++ struct imap_parser_params params = { ++ .list_count_limit = 2, ++ }; ++ ++ for (unsigned int i = 0; i < N_ELEMENTS(tests); i++) { ++ chain_input = i_stream_create_chain(&chain); ++ parser = imap_parser_create(chain_input, NULL, 1024, ¶ms); ++ ++ for (unsigned int j = 0; j < 2; j++) { ++ struct istream *input = ++ test_istream_create(tests[i].input); ++ i_stream_chain_append(chain, input); ++ i_stream_unref(&input); ++ ++ (void)i_stream_read(chain_input); ++ ++ test_assert_cmp(imap_parser_read_args(parser, 0, 0, &args), ==, tests[i].ret); ++ /* skip over CRLF */ ++ i_stream_skip(chain_input, i_stream_get_data_size(chain_input)); ++ ++ /* make sure parser reset works */ ++ imap_parser_reset(parser); ++ } ++ imap_parser_unref(&parser); ++ i_stream_destroy(&chain_input); ++ } ++ test_end(); ++} ++ + static void test_imap_parser_read_tag_cmd(void) + { + enum read_type { +@@ -205,6 +250,7 @@ int main(void) + static void (*const test_functions[])(void) = { + test_imap_parser_crlf, + test_imap_parser_partial_list, ++ test_imap_parser_list_limit, + test_imap_parser_read_tag_cmd, + NULL + }; diff --git a/dovecot-2.3-cve-2026-27857p3of5.patch b/dovecot-2.3-cve-2026-27857p3of5.patch new file mode 100644 index 0000000..0cb8375 --- /dev/null +++ b/dovecot-2.3-cve-2026-27857p3of5.patch @@ -0,0 +1,71 @@ +diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c +index 84e6a90db4..93966b2d15 100644 +--- a/src/imap-login/imap-login-client.c ++++ b/src/imap-login/imap-login-client.c +@@ -380,11 +380,14 @@ static int imap_client_create(struct client *client) + { + struct imap_client *imap_client = (struct imap_client *)client; + ++ struct imap_parser_params params = { ++ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, ++ }; + imap_client->set = other_sets[0]; + imap_client->parser = + imap_parser_create(imap_client->common.input, + imap_client->common.output, +- IMAP_LOGIN_MAX_LINE_LENGTH, NULL); ++ IMAP_LOGIN_MAX_LINE_LENGTH, ¶ms); + if (imap_client->set->imap_literal_minus) + imap_parser_enable_literal_minus(imap_client->parser); + client->io = io_add_istream(client->input, client_input, client); +@@ -469,11 +472,14 @@ static void imap_client_starttls(struct client *client) + { + struct imap_client *imap_client = (struct imap_client *)client; + ++ struct imap_parser_params params = { ++ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, ++ }; + imap_parser_unref(&imap_client->parser); + imap_client->parser = + imap_parser_create(imap_client->common.input, + imap_client->common.output, +- IMAP_LOGIN_MAX_LINE_LENGTH, NULL); ++ IMAP_LOGIN_MAX_LINE_LENGTH, ¶ms); + + /* CRLF is lost from buffer when streams are reopened. */ + imap_client->skip_line = FALSE; +diff --git a/src/imap-login/imap-login-client.h b/src/imap-login/imap-login-client.h +index ffac6ec855..1ff88015b2 100644 +--- a/src/imap-login/imap-login-client.h ++++ b/src/imap-login/imap-login-client.h +@@ -11,6 +11,10 @@ + /* maximum length for IMAP command line. */ + #define IMAP_LOGIN_MAX_LINE_LENGTH 8192 + ++/* Maximum number of '(' allowed in an IMAP command. Pre-login only uses ++ lists in the ID command. */ ++#define IMAP_LOGIN_LIST_COUNT_LIMIT 1 ++ + enum imap_client_id_state { + IMAP_CLIENT_ID_STATE_LIST = 0, + IMAP_CLIENT_ID_STATE_KEY, +diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c +index be2097f70b..a07b1f8f56 100644 +--- a/src/imap-login/imap-login-cmd-id.c ++++ b/src/imap-login/imap-login-cmd-id.c +@@ -389,10 +389,14 @@ int cmd_id(struct imap_client *client) + + if (client->cmd_id == NULL) { + client->cmd_id = id = i_new(struct imap_client_cmd_id, 1); ++ ++ struct imap_parser_params params = { ++ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, ++ }; + id->parser = imap_parser_create(client->common.input, + client->common.output, + IMAP_LOGIN_MAX_LINE_LENGTH, +- NULL); ++ ¶ms); + if (client->set->imap_literal_minus) + imap_parser_enable_literal_minus(id->parser); + parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST; diff --git a/dovecot-2.3-cve-2026-27857p4of5.patch b/dovecot-2.3-cve-2026-27857p4of5.patch new file mode 100644 index 0000000..8fb44f1 --- /dev/null +++ b/dovecot-2.3-cve-2026-27857p4of5.patch @@ -0,0 +1,48 @@ +diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c +index 93966b2d15..7e7578d4d4 100644 +--- a/src/imap-login/imap-login-client.c ++++ b/src/imap-login/imap-login-client.c +@@ -380,7 +380,7 @@ static int imap_client_create(struct client *client) + { + struct imap_client *imap_client = (struct imap_client *)client; + +- struct imap_parser_params params = { ++ const struct imap_parser_params params = { + .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, + }; + imap_client->set = other_sets[0]; +@@ -415,7 +415,7 @@ static void imap_client_starttls(struct + { + struct imap_client *imap_client = (struct imap_client *)client; + +- struct imap_parser_params params = { ++ const struct imap_parser_params params = { + .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, + }; + imap_parser_unref(&imap_client->parser); +diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c +index a07b1f8f56..da254a2923 100644 +--- a/src/imap-login/imap-login-cmd-id.c ++++ b/src/imap-login/imap-login-cmd-id.c +@@ -390,7 +390,7 @@ int cmd_id(struct imap_client *client) + if (client->cmd_id == NULL) { + client->cmd_id = id = i_new(struct imap_client_cmd_id, 1); + +- struct imap_parser_params params = { ++ const struct imap_parser_params params = { + .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, + }; + id->parser = imap_parser_create(client->common.input, +diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c +index 0350ea7352..fb7c308a23 100644 +--- a/src/lib-imap/test-imap-parser.c ++++ b/src/lib-imap/test-imap-parser.c +@@ -95,7 +95,7 @@ static void test_imap_parser_list_limit(void) + const struct imap_arg *args; + + test_begin("imap parser list limit"); +- struct imap_parser_params params = { ++ const struct imap_parser_params params = { + .list_count_limit = 2, + }; + diff --git a/dovecot-2.3-cve-2026-27857p5of5.patch b/dovecot-2.3-cve-2026-27857p5of5.patch new file mode 100644 index 0000000..7a92637 --- /dev/null +++ b/dovecot-2.3-cve-2026-27857p5of5.patch @@ -0,0 +1,14 @@ +diff --git a/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c b/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c +index 6965b511..33d6804c 100644 +--- a/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c ++++ b/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c +@@ -379,7 +379,8 @@ bool cmd_filter_sieve(struct client_command_context *cmd) + asynchronously the same way as APPEND does. */ + client->input_lock = cmd; + ctx->parser = imap_parser_create(client->input, client->output, +- client->set->imap_max_line_length); ++ client->set->imap_max_line_length, ++ NULL); + if (client->set->imap_literal_minus) + imap_parser_enable_literal_minus(ctx->parser); + o_stream_unset_flush_callback(client->output); diff --git a/dovecot-2.3-cve-2026-27858.patch b/dovecot-2.3-cve-2026-27858.patch new file mode 100644 index 0000000..3bc7686 --- /dev/null +++ b/dovecot-2.3-cve-2026-27858.patch @@ -0,0 +1,17 @@ +diff --git a/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c b/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c +index cd7739d0..354e6746 100644 +--- a/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c ++++ b/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c +@@ -189,6 +189,11 @@ static int managesieve_client_auth_read_ + if ( i_stream_get_size + (msieve_client->auth_response_input, FALSE, &resp_size) <= 0 ) + resp_size = 0; ++ else if (resp_size > LOGIN_MAX_AUTH_BUF_SIZE) { ++ client_destroy(client, ++ "Authentication response too large"); ++ return -1; ++ } + + if (client->auth_response == NULL) + client->auth_response = str_new(default_pool, I_MAX(resp_size+1, 256)); + diff --git a/dovecot-2.3.18-9f300239..4596d399.patch b/dovecot-2.3.18-9f300239..4596d399.patch index 3c0ef61..18bd47d 100644 --- a/dovecot-2.3.18-9f300239..4596d399.patch +++ b/dovecot-2.3.18-9f300239..4596d399.patch @@ -8,10 +8,10 @@ Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug src/lib-sieve/sieve-interpreter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/src/lib-sieve/sieve-interpreter.c b/src/lib-sieve/sieve-interpreter.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c index 9ee6c659..274e142d 100644 ---- a/src/lib-sieve/sieve-interpreter.c -+++ b/src/lib-sieve/sieve-interpreter.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c @@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp, } e_debug(e->event(), "Finished running script `%s' " @@ -33,10 +33,10 @@ Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from src/lib-sieve/sieve-result.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 55eb9f54..d3f2f925 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec) } @@ -108,10 +108,10 @@ Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from src/lib-sieve/sieve-result.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index d3f2f925..3cf2c02a 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) } @@ -162,10 +162,10 @@ Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 3cf2c02a..44afeef7 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -934,6 +934,7 @@ struct sieve_result_execution { bool keep_success:1; bool keep_explicit:1; @@ -243,10 +243,10 @@ Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++--------------- 1 file changed, 33 insertions(+), 23 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 44afeef7..10cc3b95 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) struct sieve_result_action *ract_keep = &rexec->keep_action; struct sieve_action *act_keep = &ract_keep->action; @@ -334,10 +334,10 @@ only be rolled back. src/lib-sieve/sieve-result.c | 2 -- 1 file changed, 2 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 10cc3b95..82354831 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) break; case SIEVE_EXEC_TEMP_FAILURE: @@ -358,10 +358,10 @@ Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource src/lib-sieve/sieve-result.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 82354831..96582075 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status, result_status = SIEVE_EXEC_FAILURE; break; @@ -385,10 +385,10 @@ of delivery when the mail user is destroyed. src/lib-sieve/sieve-result.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 96582075..10ea349c 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) struct sieve_result_action *ract_keep = &rexec->keep_action; struct sieve_action *act_keep = &ract_keep->action; @@ -439,10 +439,10 @@ Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is src/lib-sieve/sieve-result.c | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 10ea349c..de97d6ae 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec) if (act_keep->def == NULL) return rexec->keep_status; @@ -463,10 +463,10 @@ Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index de97d6ae..c21c8017 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec) break; case SIEVE_EXEC_TEMP_FAILURE: @@ -528,10 +528,10 @@ Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in src/lib-sieve/sieve-result.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index c21c8017..6f3cb954 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec, } @@ -558,10 +558,10 @@ Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in src/lib-sieve/sieve-result.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c +diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c index 6f3cb954..effd6f28 100644 ---- a/src/lib-sieve/sieve-result.c -+++ b/src/lib-sieve/sieve-result.c +--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c ++++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c @@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback( } diff --git a/dovecot.spec b/dovecot.spec index b9a7aab..466f723 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.16 %global prever %{nil} -Release: 6%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -68,6 +68,26 @@ Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch # fix test failing due to too long path with all the mock path prefixes Patch23: dovecot-2.3.21-test-socket-path.patch +# from upstream for < 2.4.3, RHEL-161630 +# https://github.com/dovecot/pigeonhole/commit/54f645225a8a7911d7e16e9d50f170d217b0be95 +Patch24: dovecot-2.3-cve-2026-27858.patch + +# from upstream for < 2.4.3, RHEL-162282 +# https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c +Patch25: dovecot-2.3-cve-2025-59032.patch + +# from upstream for < 2.4.3, RHEL-161669 +# https://github.com/dovecot/core/commit/825bc297f87b856992aa14beac596ec838248210 +Patch26: dovecot-2.3-cve-2026-27857p1of5.patch +# https://github.com/dovecot/core/commit/d0f67b52914565a35f3817335ab9633cb291513c +Patch27: dovecot-2.3-cve-2026-27857p2of5.patch +# https://github.com/dovecot/core/commit/af1fb4da5c1c5c458dc1d54dee3aefde6d3aa835 +Patch28: dovecot-2.3-cve-2026-27857p3of5.patch +# https://github.com/dovecot/core/commit/3435e0d44c131eb1046a84fd83798f1e101b725e +Patch29: dovecot-2.3-cve-2026-27857p4of5.patch +# https://github.com/dovecot/pigeonhole/commit/5701db04455ee4d8e927d0b225634780a9b656b4 +Patch30: dovecot-2.3-cve-2026-27857p5of5.patch + Source15: prestartscript BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -163,6 +183,10 @@ This package provides the development files for dovecot. %prep %setup -q -n %{name}-%{version}%{?prever} -a 8 + +# standardize name, so we don't have to update patches and scripts +mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole + %patch -P 1 -p1 -b .default-settings %patch -P 2 -p1 -b .mkcert-permissions %patch -P 3 -p1 -b .mkcert-paths @@ -175,15 +199,19 @@ This package provides the development files for dovecot. %patch -P 15 -p1 -b .ftbfsbigend %patch -P 16 -p1 -b .keeplzma %patch -P 17 -p1 -b .7bad6a24 +%patch -P 18 -p1 -b .9f300239..4596d399 %patch -P 19 -p1 -b .bdf447e4 %patch -P 20 -p1 -b .d7705bc6 %patch -P 21 -p1 -b .CVE-2024-23184 %patch -P 22 -p1 -b .CVE-2024-23185 %patch -P 23 -p1 -b .test-socket-path -pushd dovecot-2*3-pigeonhole-%{pigeonholever} -%patch -P 18 -p1 -b .9f300239..4596d399 - -popd +%patch -P 24 -p1 -b .cve-2026-27858 +%patch -P 25 -p1 -b .cve-2025-59032 +%patch -P 26 -p1 -b .cve-2026-27857p1of5 +%patch -P 27 -p1 -b .cve-2026-27857p2of5 +%patch -P 28 -p1 -b .cve-2026-27857p3of5 +%patch -P 29 -p1 -b .cve-2026-27857p4of5 +%patch -P 30 -p1 -b .cve-2026-27857p5of5 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -227,7 +255,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10 make %{?_smp_mflags} #pigeonhole -pushd dovecot-2*3-pigeonhole-%{pigeonholever} +pushd dovecot-pigeonhole # required for snapshot [ -f configure ] || autoreconf -fiv @@ -253,7 +281,7 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/ # fix multilib issues %multilib_fix_c_header --file %{_includedir}/dovecot/config.h -pushd dovecot-2*3-pigeonhole-%{pigeonholever} +pushd dovecot-pigeonhole make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -391,7 +419,7 @@ fi %check make check -cd dovecot-2*3-pigeonhole-%{pigeonholever} +cd dovecot-pigeonhole make check %files @@ -544,6 +572,11 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Apr 13 2026 Michal Hlavinka - 1:2.3.16-7 +- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161630) +- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282) +- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161669) + * Tue Aug 20 2024 Michal Hlavinka - 1:2.3.16-6 - fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219) - fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206)