From cb203ee7f14b25602ef0c9b2fd7348366723dbc0 Mon Sep 17 00:00:00 2001 From: RHEL Packaging Agent Date: Fri, 26 Jun 2026 11:28:05 +0000 Subject: [PATCH] Fix CVE-2026-42006: bypass of CVE-2026-27857 IMAP parser fix Backport upstream commit 9a0f8c1066956ea7450ca82b57f904332006a502 to fix CVE-2026-42006. The IMAP parser's list_count_limit was incorrectly checking the limit in imap_parser_close_list() (on ')') instead of imap_parser_open_list() (on '('). This patch moves the check so it correctly limits the number of open braces, preventing potential abuse via deeply nested lists. CVE: CVE-2026-42006 Upstream patches: - https://github.com/dovecot/core/commit/9a0f8c1066956ea7450ca82b57f904332006a502.patch Resolves: RHEL-188480 This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Ymir --- dovecot-2.3-cve-2026-42006.patch | 101 +++++++++++++++++++++++++++++++ dovecot.spec | 11 +++- 2 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3-cve-2026-42006.patch diff --git a/dovecot-2.3-cve-2026-42006.patch b/dovecot-2.3-cve-2026-42006.patch new file mode 100644 index 0000000..141087e --- /dev/null +++ b/dovecot-2.3-cve-2026-42006.patch @@ -0,0 +1,101 @@ +From 73983fb8e62e93d06c2563f33d268937c7fa4164 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Mon, 27 Apr 2026 17:40:46 +0300 +Subject: [PATCH] lib-imap: Fix imap_parser_params.list_count_limit to actually + work + +The previous fix in d0f67b52914565a35f3817335ab9633cb291513c was +accidentally limiting the number of ')', not the number of '('. +--- + src/lib-imap/imap-parser.c | 19 +++++++++++-------- + src/lib-imap/test-imap-parser.c | 14 ++++++++++++-- + 2 files changed, 23 insertions(+), 10 deletions(-) + +diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c +index 20fe7bf..3cd87ab 100644 +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -191,8 +191,15 @@ static struct imap_arg *imap_arg_create(struct imap_parser *parser) + return arg; + } + +-static void imap_parser_open_list(struct imap_parser *parser) ++static bool imap_parser_open_list(struct imap_parser *parser) + { ++ if (parser->list_count >= parser->list_count_limit) { ++ parser->error_msg = "Too many '('"; ++ parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; ++ return FALSE; ++ } ++ parser->list_count++; ++ + parser->list_arg = imap_arg_create(parser); + parser->list_arg->type = IMAP_ARG_LIST; + p_array_init(&parser->list_arg->_data.list, parser->pool, +@@ -200,6 +207,7 @@ static void imap_parser_open_list(struct imap_parser *parser) + parser->cur_list = &parser->list_arg->_data.list; + + parser->cur_type = ARG_PARSE_NONE; ++ return TRUE; + } + + static bool imap_parser_close_list(struct imap_parser *parser) +@@ -217,12 +225,6 @@ static bool imap_parser_close_list(struct imap_parser *parser) + parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; + return FALSE; + } +- if (parser->list_count >= parser->list_count_limit) { +- parser->error_msg = "Too many '('"; +- parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; +- return FALSE; +- } +- parser->list_count++; + + arg = imap_arg_create(parser); + arg->type = IMAP_ARG_EOL; +@@ -673,7 +675,8 @@ static bool imap_parser_read_arg(struct imap_parser *parser) + parser->literal8 = FALSE; + break; + case '(': +- imap_parser_open_list(parser); ++ if (!imap_parser_open_list(parser)) ++ return FALSE; + if ((parser->flags & IMAP_PARSE_FLAG_STOP_AT_LIST) != 0) { + i_stream_skip(parser->input, 1); + return FALSE; +diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c +index 0767cfb..cd6bcdd 100644 +--- a/src/lib-imap/test-imap-parser.c ++++ b/src/lib-imap/test-imap-parser.c +@@ -85,9 +85,15 @@ static void test_imap_parser_list_limit(void) + struct { + const char *input; + int ret; ++ const char *error; + } tests[] = { +- { "(())\r\n", 1 }, +- { "((()))\r\n", -1 }, ++ { "(())\r\n", 1, NULL }, ++ { "((\r\n", -1, "Missing ')'" }, ++ { "(()\r\n", -1, "Missing ')'" }, ++ { "(()))\r\n", -1, "Unexpected ')'" }, ++ { "((()))\r\n", -1, "Too many '('" }, ++ { "(({10}\r\n", -2, NULL }, ++ { "((({10}\r\n", -1, "Too many '('" }, + }; + struct istream_chain *chain; + struct istream *chain_input; +@@ -112,6 +118,10 @@ static void test_imap_parser_list_limit(void) + (void)i_stream_read(chain_input); + + test_assert_cmp(imap_parser_read_args(parser, 0, 0, &args), ==, tests[i].ret); ++ if (tests[i].ret == -1) { ++ enum imap_parser_error err; ++ test_assert_strcmp_idx(imap_parser_get_error(parser, &err), tests[i].error, i); ++ } + /* skip over CRLF */ + i_stream_skip(chain_input, i_stream_get_data_size(chain_input)); + +-- +2.52.0 + diff --git a/dovecot.spec b/dovecot.spec index 466f723..12cef13 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.16 %global prever %{nil} -Release: 7%{?dist} +Release: 8%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -88,6 +88,10 @@ Patch29: dovecot-2.3-cve-2026-27857p4of5.patch # https://github.com/dovecot/pigeonhole/commit/5701db04455ee4d8e927d0b225634780a9b656b4 Patch30: dovecot-2.3-cve-2026-27857p5of5.patch +# from upstream for < 2.4.4, RHEL-188480 +# https://github.com/dovecot/core/commit/9a0f8c1066956ea7450ca82b57f904332006a502 +Patch31: dovecot-2.3-cve-2026-42006.patch + Source15: prestartscript BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -212,6 +216,7 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 28 -p1 -b .cve-2026-27857p3of5 %patch -P 29 -p1 -b .cve-2026-27857p4of5 %patch -P 30 -p1 -b .cve-2026-27857p5of5 +%patch -P 31 -p1 -b .cve-2026-42006 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -572,6 +577,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Jun 26 2026 RHEL Packaging Agent - 1:2.3.16-8 +- fix CVE-2026-42006: fix IMAP parser list_count_limit to correctly + limit open braces instead of close braces (RHEL-188480) + * Mon Apr 13 2026 Michal Hlavinka - 1:2.3.16-7 - fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161630) - fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282)