Compare commits

..

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

45 changed files with 1872 additions and 1463 deletions

View File

@ -1,2 +0,0 @@
4673c244c6ea73ee3da0bb61d0206a1fe3d0be0e SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
b5c598ae8b9901bfabdf2c93271f57cde0bde73e SOURCES/dovecot-2.3.16.tar.gz

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz /dovecot-*.tar.gz
SOURCES/dovecot-2.3.16.tar.gz /pigeonhole-*.tar.bz2

View File

@ -1,11 +0,0 @@
diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
--- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200
+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200
@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
[Service]
Type=@systemdservicetype@
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot -F
ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop

View File

@ -1,13 +0,0 @@
diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c
--- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix 2018-09-18 15:00:08.778823903 +0200
+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c 2018-09-18 15:00:08.814823737 +0200
@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl
T_BEGIN {
if (*name == '\0' ||
mailbox_list_is_valid_name(_backend->list, name, &error)) {
- vname = *name == '\0' ? "" :
- mailbox_list_get_vname(_backend->list, name);
+ vname = mailbox_list_get_vname(_backend->list, name);
dir = acl_backend_vfile_get_local_dir(_backend, name, vname);
aclobj->local_path = dir == NULL ? NULL :

View File

@ -1,17 +0,0 @@
diff --git a/src/lib-index/mail-index-sync.c b/src/lib-index/mail-index-sync.c
index 6322ee1869..c847f1cc01 100644
--- a/src/lib-index/mail-index-sync.c
+++ b/src/lib-index/mail-index-sync.c
@@ -544,6 +544,12 @@ static bool mail_index_sync_view_have_any(struct mail_index_view *view,
return TRUE;
mail_transaction_log_get_head(view->index->log, &log_seq, &log_offset);
+ if (log_seq < view->map->hdr.log_file_seq ||
+ ((log_seq == view->map->hdr.log_file_seq &&
+ log_offset < view->map->hdr.log_file_tail_offset))) {
+ /* invalid offsets - let the syncing handle the error */
+ return TRUE;
+ }
if (mail_transaction_log_view_set(view->log_view,
view->map->hdr.log_file_seq,
view->map->hdr.log_file_tail_offset,

View File

@ -1,53 +0,0 @@
commit ec4595097067a736717ef202fe8542b1b4bc2dd5
Author: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue Aug 10 12:22:08 2021 +0300
lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs
diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c
index e929fb559d..429e0d234c 100644
--- a/src/lib-index/mail-cache-fields.c
+++ b/src/lib-index/mail-cache-fields.c
@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest,
}
}
+static void
+copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new)
+{
+ size_t offset = offsetof(struct mail_cache_field, last_used);
+#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8
+ /* 64bit time_t with big endian CPUs: copy the last 32 bits instead of
+ the first 32 bits (that are always 0). The 32 bits are enough until
+ year 2106, so we're not in a hurry to use 64 bits on disk. */
+ offset += sizeof(uint32_t);
+#endif
+ copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t));
+}
+
static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
{
buffer_t *buffer;
@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
buffer = t_buffer_create(256);
- copy_to_buf(cache, buffer, FALSE,
- offsetof(struct mail_cache_field, last_used),
- sizeof(uint32_t));
+ copy_to_buf_last_used(cache, buffer, FALSE);
ret = mail_cache_write(cache, buffer->data, buffer->used,
offset + MAIL_CACHE_FIELD_LAST_USED());
if (ret == 0) {
@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest)
buffer_append(dest, &hdr, sizeof(hdr));
/* we have to keep the field order for the existing fields. */
- copy_to_buf(cache, dest, TRUE,
- offsetof(struct mail_cache_field, last_used),
- sizeof(uint32_t));
+ copy_to_buf_last_used(cache, dest, TRUE);
copy_to_buf(cache, dest, TRUE,
offsetof(struct mail_cache_field, field_size),
sizeof(uint32_t));

View File

@ -1,353 +0,0 @@
diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac
--- dovecot-2.3.16/configure.ac.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/configure.ac 2022-02-28 13:58:02.337149927 +0100
@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi
want_bzlib=auto)
AC_ARG_WITH(lzma,
-AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]),
+AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]),
TEST_WITH(lzma, $withval),
want_lzma=auto)
diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp
--- dovecot-2.3.16/run-test-valgrind.supp.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/run-test-valgrind.supp 2022-02-28 13:58:02.337149927 +0100
@@ -5,6 +5,17 @@
obj:*/bash
}
{
+ <liblzma>
+ Memcheck:Cond
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ fun:lzma_stream_encoder
+ fun:lzma_easy_encoder
+}
+{
<openssl_centos6_i386_v1_0_1_compression_methods>
Memcheck:Leak
fun:malloc
diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c
--- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/compression.c 2022-02-28 14:22:32.467944396 +0100
@@ -25,6 +25,7 @@
#endif
#ifndef HAVE_LZMA
# define i_stream_create_lzma NULL
+# define o_stream_create_lzma NULL
#endif
#ifndef HAVE_LZ4
# define i_stream_create_lz4 NULL
@@ -216,7 +217,7 @@ const struct compression_handler compres
.ext = ".xz",
.is_compressed = is_compressed_xz,
.create_istream = i_stream_create_lzma,
- .create_ostream = NULL,
+ .create_ostream = o_stream_create_lzma,
.get_min_level = compression_get_min_level_unsupported,
.get_default_level = compression_get_default_level_unsupported,
.get_max_level = compression_get_max_level_unsupported,
diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am
--- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/Makefile.am 2022-02-28 13:58:02.337149927 +0100
@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \
istream-zlib.c \
istream-bzlib.c \
istream-zstd.c \
+ ostream-lzma.c \
ostream-lz4.c \
ostream-zlib.c \
ostream-bzlib.c \
diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c
--- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma 2022-02-28 13:58:02.338149934 +0100
+++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c 2022-02-28 13:58:02.338149934 +0100
@@ -0,0 +1,263 @@
+/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+
+#ifdef HAVE_LZMA
+
+#include "ostream-private.h"
+#include "ostream-zlib.h"
+#include <lzma.h>
+
+#define CHUNK_SIZE (1024*64)
+
+struct lzma_ostream {
+ struct ostream_private ostream;
+ lzma_stream strm;
+
+ unsigned char outbuf[CHUNK_SIZE];
+ unsigned int outbuf_offset, outbuf_used;
+
+ bool flushed:1;
+};
+
+static void o_stream_lzma_close(struct iostream_private *stream,
+ bool close_parent)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ i_assert(zstream->ostream.finished ||
+ zstream->ostream.ostream.stream_errno != 0 ||
+ zstream->ostream.error_handling_disabled);
+ lzma_end(&zstream->strm);
+ if (close_parent)
+ o_stream_close(zstream->ostream.parent);
+}
+
+static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream)
+{
+ ssize_t ret;
+ size_t size;
+
+ if (zstream->outbuf_used == 0)
+ return 1;
+
+ size = zstream->outbuf_used - zstream->outbuf_offset;
+ i_assert(size > 0);
+ ret = o_stream_send(zstream->ostream.parent,
+ zstream->outbuf + zstream->outbuf_offset, size);
+ if (ret < 0) {
+ o_stream_copy_error_from_parent(&zstream->ostream);
+ return -1;
+ }
+ if ((size_t)ret != size) {
+ zstream->outbuf_offset += ret;
+ return 0;
+ }
+ zstream->outbuf_offset = 0;
+ zstream->outbuf_used = 0;
+ return 1;
+}
+
+static ssize_t
+o_stream_lzma_send_chunk(struct lzma_ostream *zstream,
+ const void *data, size_t size)
+{
+ lzma_stream *zs = &zstream->strm;
+ int ret;
+
+ i_assert(zstream->outbuf_used == 0);
+
+ zs->next_in = (void *)data;
+ zs->avail_in = size;
+ while (zs->avail_in > 0) {
+ if (zs->avail_out == 0) {
+ /* previous block was compressed. send it and start
+ compression for a new block. */
+ zs->next_out = zstream->outbuf;
+ zs->avail_out = sizeof(zstream->outbuf);
+
+ zstream->outbuf_used = sizeof(zstream->outbuf);
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0)
+ return -1;
+ if (ret == 0) {
+ /* parent stream's buffer full */
+ break;
+ }
+ }
+
+ ret = lzma_code(zs, LZMA_RUN);
+ switch (ret) {
+ case LZMA_OK:
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM,
+ "lzma.write(%s): Out of memory",
+ o_stream_get_name(&zstream->ostream.ostream));
+ default:
+ i_panic("lzma.write(%s) failed with unexpected code %d",
+ o_stream_get_name(&zstream->ostream.ostream), ret);
+ }
+ }
+ size -= zs->avail_in;
+
+ return size;
+}
+
+static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final)
+{
+ lzma_stream *zs = &zstream->strm;
+ size_t len;
+ bool done = FALSE;
+ int ret;
+
+ i_assert(zs->avail_in == 0);
+
+ if (zstream->flushed) {
+ i_assert(zstream->outbuf_used == 0);
+ return 1;
+ }
+
+ if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0)
+ return ret;
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
+ return ret;
+
+ if (!final)
+ return 1;
+
+ i_assert(zstream->outbuf_used == 0);
+ do {
+ len = sizeof(zstream->outbuf) - zs->avail_out;
+ if (len != 0) {
+ zs->next_out = zstream->outbuf;
+ zs->avail_out = sizeof(zstream->outbuf);
+
+ zstream->outbuf_used = len;
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
+ return ret;
+ if (done)
+ break;
+ }
+ ret = lzma_code(zs, LZMA_FINISH);
+ switch (ret) {
+ case LZMA_OK:
+ /* still unfinished - need to call lzma_code() again */
+ break;
+ case LZMA_STREAM_END:
+ /* output is fully finished */
+ done = TRUE;
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM,
+ "lzma.write(%s): Out of memory",
+ o_stream_get_name(&zstream->ostream.ostream));
+ default:
+ i_panic("lzma.write(%s) flush failed with unexpected code %d",
+ o_stream_get_name(&zstream->ostream.ostream), ret);
+ }
+ } while (zs->avail_out != sizeof(zstream->outbuf));
+
+ if (final)
+ zstream->flushed = TRUE;
+ i_assert(zstream->outbuf_used == 0);
+ return 1;
+}
+
+static int o_stream_lzma_flush(struct ostream_private *stream)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ int ret;
+
+ if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0)
+ return -1;
+ else if (ret > 0)
+ return o_stream_flush_parent(stream);
+ return ret;
+}
+
+static size_t
+o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream)
+{
+ const struct lzma_ostream *zstream =
+ (const struct lzma_ostream *)stream;
+
+ /* outbuf has already compressed data that we're trying to send to the
+ parent stream. We're not including lzma's internal compression
+ buffer size. */
+ return (zstream->outbuf_used - zstream->outbuf_offset) +
+ o_stream_get_buffer_used_size(stream->parent);
+}
+
+static size_t
+o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream)
+{
+ /* FIXME: not correct - this is counting compressed size, which may be
+ too larger than uncompressed size in some situations. Fixing would
+ require some kind of additional buffering. */
+ return o_stream_get_buffer_avail_size(stream->parent);
+}
+
+static ssize_t
+o_stream_lzma_sendv(struct ostream_private *stream,
+ const struct const_iovec *iov, unsigned int iov_count)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ ssize_t ret, bytes = 0;
+ unsigned int i;
+
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) {
+ /* error / we still couldn't flush existing data to
+ parent stream. */
+ return ret;
+ }
+
+ for (i = 0; i < iov_count; i++) {
+ ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base,
+ iov[i].iov_len);
+ if (ret < 0)
+ return -1;
+ bytes += ret;
+ if ((size_t)ret != iov[i].iov_len)
+ break;
+ }
+ stream->ostream.offset += bytes;
+
+ /* avail_in!=0 check is used to detect errors. if it's non-zero here
+ it simply means we didn't send all the data */
+ zstream->strm.avail_in = 0;
+ return bytes;
+}
+
+struct ostream *o_stream_create_lzma(struct ostream *output, int level)
+{
+ struct lzma_ostream *zstream;
+ lzma_ret ret;
+
+ i_assert(level >= 1 && level <= 9);
+
+ zstream = i_new(struct lzma_ostream, 1);
+ zstream->ostream.sendv = o_stream_lzma_sendv;
+ zstream->ostream.flush = o_stream_lzma_flush;
+ zstream->ostream.get_buffer_used_size =
+ o_stream_lzma_get_buffer_used_size;
+ zstream->ostream.get_buffer_avail_size =
+ o_stream_lzma_get_buffer_avail_size;
+ zstream->ostream.iostream.close = o_stream_lzma_close;
+
+ ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64);
+ switch (ret) {
+ case LZMA_OK:
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory");
+ case LZMA_OPTIONS_ERROR:
+ i_fatal("lzma: Invalid level");
+ default:
+ i_fatal("lzma_easy_encoder() failed with %d", ret);
+ }
+
+ zstream->strm.next_out = zstream->outbuf;
+ zstream->strm.avail_out = sizeof(zstream->outbuf);
+ return o_stream_create(&zstream->ostream, output,
+ o_stream_get_fd(output));
+}
+#endif
diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h
--- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h 2022-02-28 13:58:02.338149934 +0100
@@ -4,6 +4,7 @@
struct ostream *o_stream_create_gz(struct ostream *output, int level);
struct ostream *o_stream_create_deflate(struct ostream *output, int level);
struct ostream *o_stream_create_bz2(struct ostream *output, int level);
+struct ostream *o_stream_create_lzma(struct ostream *output, int level);
struct ostream *o_stream_create_lz4(struct ostream *output, int level);
struct ostream *o_stream_create_zstd(struct ostream *output, int level);
diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c
--- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/test-compression.c 2022-02-28 13:58:02.338149934 +0100
@@ -730,7 +730,6 @@ static void test_compression_int(bool au
for (i = 0; compression_handlers[i].name != NULL; i++) {
if (compression_handlers[i].create_istream != NULL &&
- compression_handlers[i].create_ostream != NULL &&
(!autodetect ||
compression_handlers[i].is_compressed != NULL)) T_BEGIN {
if (compression_handlers[i].is_compressed != NULL &&

View File

@ -1,578 +0,0 @@
From 9f3002393fe1c1fe317121d03591569dac120739 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 17 Aug 2021 19:09:13 +0200
Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug
message.
---
src/lib-sieve/sieve-interpreter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib-sieve/sieve-interpreter.c b/src/lib-sieve/sieve-interpreter.c
index 9ee6c659..274e142d 100644
--- a/src/lib-sieve/sieve-interpreter.c
+++ b/src/lib-sieve/sieve-interpreter.c
@@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp,
}
e_debug(e->event(), "Finished running script `%s' "
"(status=%s, resource usage: %s)",
- sieve_execution_exitcode_to_str(ret),
sieve_binary_source(interp->runenv.sbin),
+ sieve_execution_exitcode_to_str(ret),
sieve_resource_usage_get_summary(&interp->rusage));
interp->running = FALSE;
}
From 54e020c1212f626049bffc6c6fea8e606a893af2 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 01:44:23 +0200
Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from
sieve_result_implicit_keep_execute().
---
src/lib-sieve/sieve-result.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 55eb9f54..d3f2f925 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec)
}
static void
-sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
- bool success)
+sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
{
const struct sieve_action_exec_env *aenv = &rexec->action_env;
struct sieve_result *result = aenv->result;
@@ -1486,6 +1485,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
struct sieve_action_execution *aexec_keep = &rexec->keep;
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
+ bool success = (rexec->status == SIEVE_EXEC_OK);
if (rexec->keep_equiv_action != NULL) {
e_debug(rexec->event, "No implicit keep needed "
@@ -1579,8 +1579,8 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
}
}
- e_debug(rexec->event, "Execute implicit keep (failure=%s)",
- (!success ? "yes" : "no"));
+ e_debug(rexec->event, "Execute implicit keep (status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
/* Initialize side effects */
sieve_action_execution_add_side_effects(rexec, aexec_keep, ract_keep);
@@ -1633,7 +1633,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
/* Start keep if necessary */
if (act_keep->def == NULL ||
aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
- sieve_result_implicit_keep_execute(rexec, success);
+ sieve_result_implicit_keep_execute(rexec);
/* Switch to failure keep if necessary. */
} else if (rexec->keep_success && !success){
e_debug(rexec->event, "Switch to failure implicit keep");
@@ -1645,7 +1645,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
i_zero(aexec_keep);
/* Start failure keep action. */
- sieve_result_implicit_keep_execute(rexec, success);
+ sieve_result_implicit_keep_execute(rexec);
}
if (act_keep->def == NULL)
return rexec->keep_status;
@@ -1931,10 +1931,8 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
/* Execute implicit keep if the transaction failed or when the
implicit keep was not canceled during transaction.
*/
- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
- sieve_result_implicit_keep_execute(
- rexec, (rexec->status == SIEVE_EXEC_OK));
- }
+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
+ sieve_result_implicit_keep_execute(rexec);
}
/* Transaction commit/rollback */
From 291f2fdb77b86db566dca7c028dd93fc741f6b31 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 01:40:57 +0200
Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from
sieve_result_implicit_keep_finalize().
---
src/lib-sieve/sieve-result.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index d3f2f925..3cf2c02a 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
}
static int
-sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
- bool success)
+sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
{
const struct sieve_action_exec_env *aenv = &rexec->action_env;
const struct sieve_execute_env *eenv = aenv->exec_env;
@@ -1612,6 +1611,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
int commit_status = SIEVE_EXEC_OK;
+ bool success = (rexec->status == SIEVE_EXEC_OK);
if (rexec->keep_equiv_action != NULL) {
struct sieve_action_execution *ke_aexec =
@@ -1627,8 +1627,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
return rexec->keep_status;
}
- e_debug(rexec->event, "Finalize implicit keep (failure=%s)",
- (!success ? "yes" : "no"));
+ e_debug(rexec->event, "Finalize implicit keep (status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
/* Start keep if necessary */
if (act_keep->def == NULL ||
@@ -1950,8 +1950,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
implicit keep was not canceled during transaction.
*/
if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
- ret = sieve_result_implicit_keep_finalize(
- rexec, (rexec->status == SIEVE_EXEC_OK));
+ ret = sieve_result_implicit_keep_finalize(rexec);
switch (ret) {
case SIEVE_EXEC_OK:
if (result_status == SIEVE_EXEC_TEMP_FAILURE)
From 10e347e3c9eb5e7bf5bc6f178389005357f527fe Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:07:01 +0200
Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status
checks into sieve_result_implicit_keep_execute().
---
src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 3cf2c02a..44afeef7 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -934,6 +934,7 @@ struct sieve_result_execution {
bool keep_success:1;
bool keep_explicit:1;
bool keep_implicit:1;
+ bool keep_finalizing:1;
bool seen_delivery:1;
bool executed:1;
bool executed_delivery:1;
@@ -1485,7 +1486,24 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
struct sieve_action_execution *aexec_keep = &rexec->keep;
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
- bool success = (rexec->status == SIEVE_EXEC_OK);
+ bool success = FALSE;
+
+ switch (rexec->status) {
+ case SIEVE_EXEC_OK:
+ success = TRUE;
+ break;
+ case SIEVE_EXEC_TEMP_FAILURE:
+ case SIEVE_EXEC_RESOURCE_LIMIT:
+ if (rexec->executed)
+ break;
+ if (rexec->committed)
+ break;
+ if (rexec->keep_finalizing)
+ break;
+ return;
+ default:
+ break;
+ }
if (rexec->keep_equiv_action != NULL) {
e_debug(rexec->event, "No implicit keep needed "
@@ -1630,6 +1648,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
e_debug(rexec->event, "Finalize implicit keep (status=%s)",
sieve_execution_exitcode_to_str(rexec->status));
+ rexec->keep_finalizing = TRUE;
+
/* Start keep if necessary */
if (act_keep->def == NULL ||
aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
@@ -1923,17 +1943,11 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
return rexec->status;
}
- /* Execute implicit keep if necessary */
-
- if (rexec->executed ||
- (rexec->status != SIEVE_EXEC_TEMP_FAILURE &&
- rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) {
- /* Execute implicit keep if the transaction failed or when the
- implicit keep was not canceled during transaction.
- */
- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
- sieve_result_implicit_keep_execute(rexec);
- }
+ /* Execute implicit keep if the transaction failed or when the
+ implicit keep was not canceled during transaction.
+ */
+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
+ sieve_result_implicit_keep_execute(rexec);
/* Transaction commit/rollback */
From c84e6e5d8d1d8b03a0ba5958804d200c6e1916d8 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:26:32 +0200
Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status
checks into sieve_result_implicit_keep_finalize().
---
src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++---------------
1 file changed, 33 insertions(+), 23 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 44afeef7..10cc3b95 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
int commit_status = SIEVE_EXEC_OK;
- bool success = (rexec->status == SIEVE_EXEC_OK);
+ bool success = FALSE;
+
+ switch (rexec->status) {
+ case SIEVE_EXEC_OK:
+ success = TRUE;
+ break;
+ case SIEVE_EXEC_TEMP_FAILURE:
+ case SIEVE_EXEC_RESOURCE_LIMIT:
+ if (rexec->committed)
+ break;
+ return rexec->status;
+ default:
+ break;
+ }
if (rexec->keep_equiv_action != NULL) {
struct sieve_action_execution *ke_aexec =
@@ -1957,32 +1970,29 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
/* Commit implicit keep if necessary */
result_status = rexec->status;
- if (rexec->committed ||
- (rexec->status != SIEVE_EXEC_TEMP_FAILURE &&
- rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) {
- /* Commit implicit keep if the transaction failed or when the
- implicit keep was not canceled during transaction.
- */
- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
- ret = sieve_result_implicit_keep_finalize(rexec);
- switch (ret) {
- case SIEVE_EXEC_OK:
- if (result_status == SIEVE_EXEC_TEMP_FAILURE)
- result_status = SIEVE_EXEC_FAILURE;
+
+ /* Commit implicit keep if the transaction failed or when the
+ implicit keep was not canceled during transaction.
+ */
+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
+ ret = sieve_result_implicit_keep_finalize(rexec);
+ switch (ret) {
+ case SIEVE_EXEC_OK:
+ if (result_status == SIEVE_EXEC_TEMP_FAILURE)
+ result_status = SIEVE_EXEC_FAILURE;
+ break;
+ case SIEVE_EXEC_TEMP_FAILURE:
+ if (!rexec->committed) {
+ result_status = ret;
break;
- case SIEVE_EXEC_TEMP_FAILURE:
- if (!rexec->committed) {
- result_status = ret;
- break;
- }
- /* fall through */
- default:
- result_status = SIEVE_EXEC_KEEP_FAILED;
}
+ /* fall through */
+ default:
+ result_status = SIEVE_EXEC_KEEP_FAILED;
}
- if (rexec->status == SIEVE_EXEC_OK)
- rexec->status = result_status;
}
+ if (rexec->status == SIEVE_EXEC_OK)
+ rexec->status = result_status;
/* Finish execution */
From 92b4b06d5d8deeefdd17d5fb18d7f0d23e8e414b Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:46:18 +0200
Subject: [PATCH 06/12] lib-sieve: sieve-result - Skip implicit keep in
execution stage upon temp failure.
It will be executed in the commit phase if necessary; don't do it early; it will
only be rolled back.
---
src/lib-sieve/sieve-result.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 10cc3b95..82354831 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
case SIEVE_EXEC_RESOURCE_LIMIT:
- if (rexec->executed)
- break;
if (rexec->committed)
break;
if (rexec->keep_finalizing)
From f2b81cc6ebaa3001bde693f7abdb990f467f7831 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:56:32 +0200
Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource
limit status after implicit keep commit.
---
src/lib-sieve/sieve-result.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 82354831..96582075 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
result_status = SIEVE_EXEC_FAILURE;
break;
case SIEVE_EXEC_TEMP_FAILURE:
+ case SIEVE_EXEC_RESOURCE_LIMIT:
if (!rexec->committed) {
result_status = ret;
break;
From 293f0027106a725e4cbcf56b673f1eedda00c317 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:54:25 +0200
Subject: [PATCH 08/12] lib-sieve: sieve-result - Fix resource leak occurring
when implicit keep is executed before temporary failure at commit.
In the commit phase the implicit keep was never finalized, meaning that it was
not rolled back and thus not cleaned up properly. This leads to a memory leak
and a mailbox reference leak. This in turn causes an assert crash at the end
of delivery when the mail user is destroyed.
---
src/lib-sieve/sieve-result.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 96582075..10ea349c 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
int commit_status = SIEVE_EXEC_OK;
- bool success = FALSE;
+ bool success = FALSE, temp_failure = FALSE;
switch (rexec->status) {
case SIEVE_EXEC_OK:
@@ -1637,7 +1637,15 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
case SIEVE_EXEC_RESOURCE_LIMIT:
if (rexec->committed)
break;
- return rexec->status;
+
+ if (aexec_keep->state !=
+ SIEVE_ACTION_EXECUTION_STATE_EXECUTED)
+ return rexec->status;
+ /* Roll back for temporary failure when no other action
+ is committed. */
+ commit_status = rexec->status;
+ temp_failure = TRUE;
+ break;
default:
break;
}
@@ -1662,8 +1670,10 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
rexec->keep_finalizing = TRUE;
/* Start keep if necessary */
- if (act_keep->def == NULL ||
- aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+ if (temp_failure) {
+ rexec->keep_status = rexec->status;
+ } else if (act_keep->def == NULL ||
+ aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
sieve_result_implicit_keep_execute(rexec);
/* Switch to failure keep if necessary. */
} else if (rexec->keep_success && !success){
From 81bd53d6c9fa14fc6b32304e49dddb8fd022de91 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 13:29:41 +0200
Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is
executed in sieve_result_implicit_keep_finalize().
---
src/lib-sieve/sieve-result.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 10ea349c..de97d6ae 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
if (act_keep->def == NULL)
return rexec->keep_status;
+ i_assert(aexec_keep->state == SIEVE_ACTION_EXECUTION_STATE_EXECUTED);
+
/* Finalize keep action */
rexec->keep_status = sieve_result_action_commit_or_rollback(
rexec, aexec_keep, rexec->keep_status, &commit_status);
From dbf5b62ba82766a7d824e81005b2517d96984ef0 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:43:05 +0200
Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp
failure handling.
---
src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index de97d6ae..c21c8017 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
case SIEVE_EXEC_RESOURCE_LIMIT:
- if (rexec->committed)
+ if (rexec->committed) {
+ e_debug(rexec->event,
+ "Temporary failure occurred (status=%s), "
+ "but other actions were already committed: "
+ "execute failure implicit keep",
+ sieve_execution_exitcode_to_str(rexec->status));
break;
+ }
if (rexec->keep_finalizing)
break;
+
+ e_debug(rexec->event,
+ "Skip implicit keep for temporary failure "
+ "(state=execute, status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
return;
default:
break;
@@ -1635,12 +1646,23 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
case SIEVE_EXEC_RESOURCE_LIMIT:
- if (rexec->committed)
+ if (rexec->committed) {
+ e_debug(rexec->event,
+ "Temporary failure occurred (status=%s), "
+ "but other actions were already committed: "
+ "commit failure implicit keep",
+ sieve_execution_exitcode_to_str(rexec->status));
break;
+ }
if (aexec_keep->state !=
- SIEVE_ACTION_EXECUTION_STATE_EXECUTED)
+ SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+ e_debug(rexec->event,
+ "Skip implicit keep for temporary failure "
+ "(state=commit, status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
return rexec->status;
+ }
/* Roll back for temporary failure when no other action
is committed. */
commit_status = rexec->status;
From 65d771c15bf443690580dbb0643556794106522b Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 13:26:26 +0200
Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in
sieve_result_transaction_execute() debug message whether actions were
executed.
---
src/lib-sieve/sieve-result.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index c21c8017..6f3cb954 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec,
}
e_debug(rexec->event, "Finished executing actions "
- "(status=%s, keep=%s)",
+ "(status=%s, keep=%s, executed=%s)",
sieve_execution_exitcode_to_str(status),
(rexec->keep_explicit ? "explicit" :
- (rexec->keep_implicit ? "implicit" : "none")));
+ (rexec->keep_implicit ? "implicit" : "none")),
+ (rexec->executed ? "yes" : "no"));
return status;
}
From 4596d39908a868783fae9a0c2fd264409c0aaa96 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 13:27:50 +0200
Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in
sieve_result_transaction_finalize() debug message whether actions were
committed.
---
src/lib-sieve/sieve-result.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 6f3cb954..effd6f28 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback(
}
e_debug(rexec->event, "Finished finalizing actions "
- "(status=%s, keep=%s)",
+ "(status=%s, keep=%s, committed=%s)",
sieve_execution_exitcode_to_str(status),
(rexec->keep_explicit ? "explicit" :
- (rexec->keep_implicit ? "implicit" : "none")));
+ (rexec->keep_implicit ? "implicit" : "none")),
+ (rexec->committed ? "yes" : "no"));
return commit_status;
}

View File

@ -1,31 +0,0 @@
From bdf4474ed82aaf964e7d94e72ca56b496e3815f9 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 1 Oct 2021 15:08:45 +0300
Subject: [PATCH] virtual: Fix leaking mailboxes if virtual mailbox can't be
opened
Fixes also a crash at deinit:
Panic: file mail-user.c: line 232 (mail_user_deinit): assertion failed: ((*user)->refcount == 1)
---
src/plugins/virtual/virtual-storage.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/plugins/virtual/virtual-storage.c b/src/plugins/virtual/virtual-storage.c
index 2f31503d53..a0779cc186 100644
--- a/src/plugins/virtual/virtual-storage.c
+++ b/src/plugins/virtual/virtual-storage.c
@@ -495,12 +495,12 @@ static int virtual_mailbox_open(struct mailbox *box)
ret = virtual_mailboxes_open(mbox, box->flags);
array_pop_back(&mbox->storage->open_stack);
}
+ if (ret == 0)
+ ret = index_storage_mailbox_open(box, FALSE);
if (ret < 0) {
virtual_mailbox_close_internal(mbox);
return -1;
}
- if (index_storage_mailbox_open(box, FALSE) < 0)
- return -1;
mbox->virtual_ext_id =
mail_index_ext_register(mbox->box.index, "virtual", 0,

View File

@ -1,7 +1,7 @@
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 --- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 +++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200
@@ -165,7 +165,7 @@ namespace inbox { @@ -175,7 +175,7 @@ namespace inbox {
# to make sure that users can't log in as daemons or other system users. # to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't # Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0. # be done even if first_valid_uid is set to 0.
@ -18,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings
# Maximum time to wait for lock (all of them) before aborting. # Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins #mbox_lock_timeout = 5 mins
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 --- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 +++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200
@@ -3,7 +3,9 @@ @@ -3,7 +3,9 @@
## ##
@ -32,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but # dropping root privileges, so keep the key file unreadable by anyone but
@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem @@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use: # To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

View File

@ -0,0 +1,11 @@
diff -up dovecot-2.2.19/dovecot.service.in.privatetmp dovecot-2.2.19/dovecot.service.in
--- dovecot-2.2.19/dovecot.service.in.privatetmp 2015-10-05 12:50:24.273780394 +0200
+++ dovecot-2.2.19/dovecot.service.in 2015-10-05 12:50:56.281621589 +0200
@@ -26,6 +26,7 @@ After=local-fs.target network.target
Type=simple
ExecStart=@sbindir@/dovecot -F $OPTIONS
ExecReload=@sbindir@/dovecot reload
+PrivateTmp=true
NonBlocking=yes
[Install]

View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.19.1/dovecot.service.in.waitonline dovecot-2.3.19.1/dovecot.service.in
--- dovecot-2.3.19.1/dovecot.service.in.waitonline 2022-06-14 08:55:03.000000000 +0200
+++ dovecot-2.3.19.1/dovecot.service.in 2022-11-08 20:28:37.550081709 +0100
@@ -12,6 +12,7 @@ Description=Dovecot IMAP/POP3 email serv
Documentation=man:dovecot(1)
Documentation=https://doc.dovecot.org/
After=local-fs.target network-online.target
+Wants=network-online.target
[Service]
Type=@systemdservicetype@

View File

@ -0,0 +1,27 @@
# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1334041779 -10800
# Node ID 20e1aa322b1e3b7d47c7cb1b6ff68a8d07fe6c9d
# Parent 0b59dbb1a288153d2eb26d47cd9f7a953335c66f
lib-storage: mail_user_try_home_expand() now looks up home only when needed.
Before a recent code cleanup the lookup was always done, but if the home
didn't exist it still just happened to return success. The cleanup changed
it to return failure, which broke the original behavior.
diff -r 0b59dbb1a288 -r 20e1aa322b1e src/lib-storage/mail-user.c
--- a/src/lib-storage/mail-user.c Tue Apr 10 09:52:35 2012 +0300
+++ b/src/lib-storage/mail-user.c Tue Apr 10 10:09:39 2012 +0300
@@ -343,6 +343,11 @@
{
const char *home, *path = *pathp;
+ if (strncmp(path, "~/", 2) != 0) {
+ /* no need to expand home */
+ return 0;
+ }
+
if (mail_user_get_home(user, &home) <= 0)
return -1;

View File

@ -0,0 +1,450 @@
# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1416386277 -32400
# Node ID 80ed82a93c1af5f6885e75a34007eb52d0692a8d
# Parent 31262a892ba7302bfea6e70e17d3acd468736d70
mbox: Added more (and earlier) detection for errors in mbox istreams.
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/istream-raw-mbox.c
--- a/src/lib-storage/index/mbox/istream-raw-mbox.c Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/istream-raw-mbox.c Wed Nov 19 17:37:57 2014 +0900
@@ -506,7 +506,8 @@
return rstream->from_offset;
}
-uoff_t istream_raw_mbox_get_header_offset(struct istream *stream)
+int istream_raw_mbox_get_header_offset(struct istream *stream,
+ uoff_t *hdr_offset_r)
{
struct raw_mbox_istream *rstream =
(struct raw_mbox_istream *)stream->real_stream;
@@ -520,13 +521,17 @@
i_error("Unexpectedly lost From-line from mbox file %s at "
"%"PRIuUOFF_T, i_stream_get_name(stream),
rstream->from_offset);
- return (uoff_t)-1;
+ return -1;
}
+ if (stream->stream_errno != 0)
+ return -1;
- return rstream->hdr_offset;
+ *hdr_offset_r = rstream->hdr_offset;
+ return 0;
}
-uoff_t istream_raw_mbox_get_body_offset(struct istream *stream)
+int istream_raw_mbox_get_body_offset(struct istream *stream,
+ uoff_t *body_offset_r)
{
struct raw_mbox_istream *rstream =
(struct raw_mbox_istream *)stream->real_stream;
@@ -534,8 +539,10 @@
i_assert(rstream->seeked);
- if (rstream->body_offset != (uoff_t)-1)
- return rstream->body_offset;
+ if (rstream->body_offset != (uoff_t)-1) {
+ *body_offset_r = rstream->body_offset;
+ return 0;
+ }
offset = stream->v_offset;
i_stream_seek(stream, rstream->hdr_offset);
@@ -551,27 +558,30 @@
} else {
i_assert(rstream->body_offset != (uoff_t)-1);
}
- break;
+ return -1;
}
}
i_stream_seek(stream, offset);
- return rstream->body_offset;
+ *body_offset_r = rstream->body_offset;
+ return 0;
}
-uoff_t istream_raw_mbox_get_body_size(struct istream *stream,
- uoff_t expected_body_size)
+int istream_raw_mbox_get_body_size(struct istream *stream,
+ uoff_t expected_body_size,
+ uoff_t *body_size_r)
{
struct raw_mbox_istream *rstream =
(struct raw_mbox_istream *)stream->real_stream;
const unsigned char *data;
size_t size;
- uoff_t old_offset, body_size, next_body_offset;
+ uoff_t old_offset, body_offset, body_size, next_body_offset;
i_assert(rstream->seeked);
i_assert(rstream->hdr_offset != (uoff_t)-1);
- (void)istream_raw_mbox_get_body_offset(stream);
+ if (istream_raw_mbox_get_body_offset(stream, &body_offset) < 0)
+ return -1;
body_size = rstream->mail_size == (uoff_t)-1 ? (uoff_t)-1 :
rstream->mail_size - (rstream->body_offset -
rstream->hdr_offset);
@@ -580,8 +590,10 @@
/* if we already have the existing body size, use it as long as
it's >= expected body_size. otherwise the previous parsing
may have stopped at a From_-line that belongs to the body. */
- if (body_size != (uoff_t)-1 && body_size >= expected_body_size)
- return body_size;
+ if (body_size != (uoff_t)-1 && body_size >= expected_body_size) {
+ *body_size_r = body_size;
+ return 0;
+ }
next_body_offset = rstream->body_offset + expected_body_size;
/* If header_missing_eoh is set, the message body begins with
@@ -600,21 +612,27 @@
rstream->mail_size =
next_body_offset - rstream->hdr_offset;
i_stream_seek(stream, old_offset);
- return expected_body_size;
+ *body_size_r = expected_body_size;
+ return 0;
}
/* invalid expected_body_size */
}
- if (body_size != (uoff_t)-1)
- return body_size;
+ if (body_size != (uoff_t)-1) {
+ *body_size_r = body_size;
+ return 0;
+ }
/* have to read through the message body */
while (i_stream_read_data(stream, &data, &size, 0) > 0)
i_stream_skip(stream, size);
i_stream_seek(stream, old_offset);
+ if (stream->stream_errno != 0)
+ return -1;
i_assert(rstream->mail_size != (uoff_t)-1);
- return rstream->mail_size -
+ *body_size_r = rstream->mail_size -
(rstream->body_offset - rstream->hdr_offset);
+ return 0;
}
time_t istream_raw_mbox_get_received_time(struct istream *stream)
@@ -651,13 +669,15 @@
return rstream->crlf_ending;
}
-void istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size)
+int istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size)
{
struct raw_mbox_istream *rstream =
(struct raw_mbox_istream *)stream->real_stream;
uoff_t body_size;
- body_size = istream_raw_mbox_get_body_size(stream, expected_body_size);
+ if (istream_raw_mbox_get_body_size(stream, expected_body_size,
+ &body_size) < 0)
+ return -1;
rstream->mail_size = (uoff_t)-1;
rstream->received_time = rstream->next_received_time;
@@ -678,6 +698,7 @@
rstream->eof = FALSE;
rstream->istream.istream.eof = FALSE;
+ return 0;
}
int istream_raw_mbox_seek(struct istream *stream, uoff_t offset)
@@ -698,10 +719,8 @@
/* if seeked is FALSE, we unlocked in the middle. don't try to use
any cached state then. */
if (rstream->mail_size != (uoff_t)-1 && rstream->seeked &&
- rstream->hdr_offset + rstream->mail_size == offset) {
- istream_raw_mbox_next(stream, (uoff_t)-1);
- return 0;
- }
+ rstream->hdr_offset + rstream->mail_size == offset)
+ return istream_raw_mbox_next(stream, (uoff_t)-1);
if (offset == rstream->from_offset && rstream->seeked) {
/* back to beginning of current message */
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/istream-raw-mbox.h
--- a/src/lib-storage/index/mbox/istream-raw-mbox.h Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/istream-raw-mbox.h Wed Nov 19 17:37:57 2014 +0900
@@ -9,15 +9,18 @@
/* Return offset to beginning of the "\nFrom"-line. */
uoff_t istream_raw_mbox_get_start_offset(struct istream *stream);
/* Return offset to beginning of the headers. */
-uoff_t istream_raw_mbox_get_header_offset(struct istream *stream);
+int istream_raw_mbox_get_header_offset(struct istream *stream,
+ uoff_t *hdr_offset_r);
/* Return offset to beginning of the body. */
-uoff_t istream_raw_mbox_get_body_offset(struct istream *stream);
+int istream_raw_mbox_get_body_offset(struct istream *stream,
+ uoff_t *body_offset_r);
/* Return the number of bytes in the body of this message. If
expected_body_size isn't (uoff_t)-1, we'll use it as potentially valid body
size to avoid actually reading through the whole message. */
-uoff_t istream_raw_mbox_get_body_size(struct istream *stream,
- uoff_t expected_body_size);
+int istream_raw_mbox_get_body_size(struct istream *stream,
+ uoff_t expected_body_size,
+ uoff_t *body_size_r);
/* Return received time of current message, or (time_t)-1 if the timestamp is
broken. */
@@ -30,7 +33,7 @@
/* Jump to next message. If expected_body_size isn't (uoff_t)-1, we'll use it
as potentially valid body size. */
-void istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size);
+int istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size);
/* Seek to message at given offset. offset must point to beginning of
"\nFrom ", or 0 for beginning of file. Returns -1 if it offset doesn't
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-mail.c
--- a/src/lib-storage/index/mbox/mbox-mail.c Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/mbox-mail.c Wed Nov 19 17:37:57 2014 +0900
@@ -304,10 +304,10 @@
return -1;
/* our header size varies, so don't do any caching */
- body_offset = istream_raw_mbox_get_body_offset(mbox->mbox_stream);
- if (body_offset == (uoff_t)-1) {
+ if (istream_raw_mbox_get_body_offset(mbox->mbox_stream, &body_offset) < 0) {
mail_storage_set_critical(_mail->box->storage,
- "Couldn't get mbox size");
+ "mbox %s: Couldn't get body offset for uid=%u",
+ mailbox_get_path(&mbox->box), mail->mail.mail.uid);
return -1;
}
@@ -319,8 +319,13 @@
body_size = (uoff_t)-1;
/* verify that the calculated body size is correct */
- body_size = istream_raw_mbox_get_body_size(mbox->mbox_stream,
- body_size);
+ if (istream_raw_mbox_get_body_size(mbox->mbox_stream,
+ body_size, &body_size) < 0) {
+ mail_storage_set_critical(_mail->box->storage,
+ "mbox %s: Couldn't get body size for uid=%u",
+ mailbox_get_path(&mbox->box), mail->mail.mail.uid);
+ return -1;
+ }
data->physical_size = hdr_size.physical_size + body_size;
*size_r = data->physical_size;
@@ -352,7 +357,12 @@
}
raw_stream = mbox->mbox_stream;
- hdr_offset = istream_raw_mbox_get_header_offset(raw_stream);
+ if (istream_raw_mbox_get_header_offset(raw_stream, &hdr_offset) < 0) {
+ mail_storage_set_critical(mbox->box.storage,
+ "mbox %s: Couldn't get header offset for uid=%u",
+ mailbox_get_path(&mbox->box), mail->mail.mail.uid);
+ return -1;
+ }
i_stream_seek(raw_stream, hdr_offset);
if (next_offset != (uoff_t)-1)
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync-parse.c
--- a/src/lib-storage/index/mbox/mbox-sync-parse.c Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/mbox-sync-parse.c Wed Nov 19 17:37:57 2014 +0900
@@ -453,8 +453,8 @@
return strcasecmp(key, func->header);
}
-void mbox_sync_parse_next_mail(struct istream *input,
- struct mbox_sync_mail_context *ctx)
+int mbox_sync_parse_next_mail(struct istream *input,
+ struct mbox_sync_mail_context *ctx)
{
struct mbox_sync_context *sync_ctx = ctx->sync_ctx;
struct message_header_parser_ctx *hdr_ctx;
@@ -545,6 +545,12 @@
}
ctx->body_offset = input->v_offset;
+ if (input->stream_errno != 0) {
+ mbox_sync_set_critical(ctx->sync_ctx, "read(%s) failed: %s",
+ i_stream_get_name(input), i_stream_get_error(input));
+ return -1;
+ }
+ return 0;
}
bool mbox_sync_parse_match_mail(struct mbox_mailbox *mbox,
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync-private.h
--- a/src/lib-storage/index/mbox/mbox-sync-private.h Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/mbox-sync-private.h Wed Nov 19 17:37:57 2014 +0900
@@ -158,8 +158,8 @@
void mbox_sync_set_critical(struct mbox_sync_context *sync_ctx,
const char *fmt, ...) ATTR_FORMAT(2, 3);
-void mbox_sync_parse_next_mail(struct istream *input,
- struct mbox_sync_mail_context *ctx);
+int mbox_sync_parse_next_mail(struct istream *input,
+ struct mbox_sync_mail_context *ctx);
bool mbox_sync_parse_match_mail(struct mbox_mailbox *mbox,
struct mail_index_view *view, uint32_t seq);
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync-rewrite.c
--- a/src/lib-storage/index/mbox/mbox-sync-rewrite.c Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/mbox-sync-rewrite.c Wed Nov 19 17:37:57 2014 +0900
@@ -318,11 +318,11 @@
return 1;
}
-static void mbox_sync_read_next(struct mbox_sync_context *sync_ctx,
- struct mbox_sync_mail_context *mail_ctx,
- struct mbox_sync_mail *mails,
- uint32_t seq, uint32_t idx,
- uoff_t expunged_space)
+static int mbox_sync_read_next(struct mbox_sync_context *sync_ctx,
+ struct mbox_sync_mail_context *mail_ctx,
+ struct mbox_sync_mail *mails,
+ uint32_t seq, uint32_t idx,
+ uoff_t expunged_space)
{
unsigned int first_mail_expunge_extra;
uint32_t orig_next_uid;
@@ -332,8 +332,12 @@
mail_ctx->seq = seq;
mail_ctx->header = sync_ctx->header;
- mail_ctx->mail.offset =
- istream_raw_mbox_get_header_offset(sync_ctx->input);
+ if (istream_raw_mbox_get_header_offset(sync_ctx->input,
+ &mail_ctx->mail.offset) < 0) {
+ mbox_sync_set_critical(sync_ctx,
+ "Couldn't get header offset for seq=%u", seq);
+ return -1;
+ }
mail_ctx->mail.body_size = mails[idx].body_size;
orig_next_uid = sync_ctx->next_uid;
@@ -361,7 +365,8 @@
mails[idx].from_offset += first_mail_expunge_extra;
}
- mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx);
+ if (mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx) < 0)
+ return -1;
i_assert(mail_ctx->mail.pseudo == mails[idx].pseudo);
/* set next_uid back before updating the headers. this is important
@@ -381,6 +386,7 @@
if (mail_ctx->have_eoh)
str_append_c(mail_ctx->header, '\n');
}
+ return 0;
}
static int mbox_sync_read_and_move(struct mbox_sync_context *sync_ctx,
@@ -398,8 +404,9 @@
if (mbox_sync_seek(sync_ctx, mails[idx].from_offset) < 0)
return -1;
- mbox_sync_read_next(sync_ctx, &new_mail_ctx, mails, seq, idx,
- expunged_space);
+ if (mbox_sync_read_next(sync_ctx, &new_mail_ctx, mails, seq, idx,
+ expunged_space) < 0)
+ return -1;
mail_ctx = &new_mail_ctx;
} else {
i_assert(seq == mail_ctx->seq);
diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync.c
--- a/src/lib-storage/index/mbox/mbox-sync.c Wed Nov 19 17:37:18 2014 +0900
+++ b/src/lib-storage/index/mbox/mbox-sync.c Wed Nov 19 17:37:57 2014 +0900
@@ -131,8 +131,10 @@
mbox_sync_read_next_mail(struct mbox_sync_context *sync_ctx,
struct mbox_sync_mail_context *mail_ctx)
{
+ uoff_t offset;
+
/* get EOF */
- (void)istream_raw_mbox_get_header_offset(sync_ctx->input);
+ (void)istream_raw_mbox_get_header_offset(sync_ctx->input, &offset);
if (istream_raw_mbox_is_eof(sync_ctx->input))
return 0;
@@ -144,19 +146,27 @@
mail_ctx->mail.from_offset =
istream_raw_mbox_get_start_offset(sync_ctx->input);
- mail_ctx->mail.offset =
- istream_raw_mbox_get_header_offset(sync_ctx->input);
+ if (istream_raw_mbox_get_header_offset(sync_ctx->input, &mail_ctx->mail.offset) < 0) {
+ mbox_sync_set_critical(sync_ctx,
+ "Couldn't get header offset for seq=%u", mail_ctx->seq);
+ return -1;
+ }
- mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx);
+ if (mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx) < 0)
+ return -1;
+ if (istream_raw_mbox_is_corrupted(sync_ctx->input))
+ return -1;
+
i_assert(sync_ctx->input->v_offset != mail_ctx->mail.from_offset ||
sync_ctx->input->eof);
- if (istream_raw_mbox_is_corrupted(sync_ctx->input))
+ if (istream_raw_mbox_get_body_size(sync_ctx->input,
+ mail_ctx->content_length,
+ &mail_ctx->mail.body_size) < 0) {
+ mbox_sync_set_critical(sync_ctx,
+ "Couldn't get body size for seq=%u", mail_ctx->seq);
return -1;
-
- mail_ctx->mail.body_size =
- istream_raw_mbox_get_body_size(sync_ctx->input,
- mail_ctx->content_length);
+ }
i_assert(mail_ctx->mail.body_size < OFF_T_MAX);
if ((mail_ctx->mail.flags & MAIL_RECENT) != 0 &&
@@ -810,7 +820,7 @@
mbox_sync_seek_to_seq(struct mbox_sync_context *sync_ctx, uint32_t seq)
{
struct mbox_mailbox *mbox = sync_ctx->mbox;
- uoff_t old_offset;
+ uoff_t old_offset, offset;
uint32_t uid;
int ret;
bool deleted;
@@ -864,7 +874,11 @@
sync_ctx->idx_seq = seq;
sync_ctx->dest_first_mail = sync_ctx->seq == 0;
- (void)istream_raw_mbox_get_body_offset(sync_ctx->input);
+ if (istream_raw_mbox_get_body_offset(sync_ctx->input, &offset) < 0) {
+ mbox_sync_set_critical(sync_ctx,
+ "Message body offset lookup failed");
+ return -1;
+ }
return 1;
}
@@ -1149,8 +1163,9 @@
sync_ctx->idx_seq++;
}
- istream_raw_mbox_next(sync_ctx->input,
- mail_ctx->mail.body_size);
+ if (istream_raw_mbox_next(sync_ctx->input,
+ mail_ctx->mail.body_size) < 0)
+ return -1;
offset = istream_raw_mbox_get_start_offset(sync_ctx->input);
if (sync_ctx->need_space_seq != 0) {

View File

@ -25,9 +25,9 @@ diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.
-After=local-fs.target network-online.target -After=local-fs.target network-online.target
+After=local-fs.target network-online.target dovecot-init.service +After=local-fs.target network-online.target dovecot-init.service
+Requires=dovecot-init.service +Requires=dovecot-init.service
Wants=network-online.target
[Service] [Service]
Type=@systemdservicetype@
diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
--- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200 --- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200 +++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200

View File

@ -0,0 +1,48 @@
diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c
--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob 2024-06-04 09:11:28.514189662 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c 2024-06-04 09:18:23.219809778 +0200
@@ -368,11 +368,13 @@ static bool opc_include_dump
return FALSE;
sieve_code_descend(denv);
- sieve_code_dumpf(denv, "script: `%s' from %s %s%s[ID: %d, BLOCK: %d]",
+ sieve_code_dumpf(denv, "script: `%s' from %s %s%s%s[ID: %d, BLOCK: %d]",
sieve_script_name(included->script), sieve_script_location(included->script),
((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""),
((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""),
- include_id, sieve_binary_block_get_id(included->block));
+ (included->block == NULL ? "(missing) " : ""),
+ include_id,
+ (included->block == NULL ? -1 : sieve_binary_block_get_id(included->block)));
return TRUE;
}
diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c
--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2023-09-14 15:18:26.000000000 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2024-06-04 09:10:45.187823805 +0200
@@ -693,6 +693,25 @@ int ext_include_execute_include(const st
}
ctx = ext_include_get_interpreter_context(this_ext, renv->interp);
+ if (included->block == NULL) {
+ if ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0) {
+ sieve_runtime_trace(
+ renv, SIEVE_TRLVL_NONE,
+ "include: skipped include for script '%s' "
+ "[inc id: %d, block: NULL]; optional and unavailable",
+ sieve_script_name(included->script),
+ include_id);
+ return result;
+ } else {
+ sieve_runtime_trace(
+ renv, SIEVE_TRLVL_NONE,
+ "include: unavailable script '%s' "
+ "[inc id: %d, block: NULL]",
+ sieve_script_name(included->script),
+ include_id);
+ return SIEVE_EXEC_BIN_CORRUPT;
+ }
+ }
block_id = sieve_binary_block_get_id(included->block);
/* If :once modifier is specified, check for duplicate include */

View File

@ -0,0 +1,12 @@
diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c
--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 2024-06-03 13:35:24.408858593 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c 2024-06-03 13:35:24.434858849 +0200
@@ -800,7 +800,7 @@ static bool sieve_file_script_equals
(struct sieve_file_script *)other;
return ( CMP_DEV_T(fscript->st.st_dev, fother->st.st_dev) &&
- fscript->st.st_ino == fother->st.st_ino );
+ fscript->st.st_ino == fother->st.st_ino && (fscript->st.st_ino != 0 || script->location != NULL && other->location != NULL && strcmp(script->location, other->location) == 0));
}
/*

View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c
--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100
+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200
@@ -14,6 +14,7 @@
# define _XPG6 /* Some Solaris versions require this, some break with this */
#endif
#include <unistd.h>
+#include <crypt.h>
#include "mycrypt.h"

View File

@ -0,0 +1,34 @@
diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200
+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200
@@ -73,10 +73,30 @@
2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
**/
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ EC_KEY_free(eck);
+ return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
#ifndef HAVE_EVP_PKEY_get0
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
#endif
+#endif
#ifndef HAVE_OBJ_LENGTH
#define OBJ_length(o) ((o)->length)

View File

@ -0,0 +1,24 @@
diff -up dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100
+++ dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100
@@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream
(struct sieve_dict_script *)script;
struct sieve_dict_storage *dstorage =
(struct sieve_dict_storage *)script->storage;
- const char *path, *name = script->name, *data, *error;
+ const char *path, *name = script->name, *data, *error = NULL;
int ret;
dscript->data_pool =
diff -up dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.17/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond 2021-10-27 13:09:04.000000000 +0200
+++ dovecot-2.3.17/src/lib-storage/index/index-attribute.c 2021-11-02 21:51:36.109032050 +0100
@@ -248,7 +248,7 @@ int index_storage_attribute_get(struct m
struct mail_attribute_value *value_r)
{
struct dict *dict;
- const char *mailbox_prefix, *error;
+ const char *mailbox_prefix, *error = NULL;
int ret;
i_zero(value_r);

View File

@ -0,0 +1,20 @@
diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200
+++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200
@@ -1,4 +1,16 @@
{
+ <bashagin>
+ Memcheck:Leak
+ match-leak-kinds: definite
+ fun:malloc
+ fun:make_if_command
+ fun:yyparse
+ fun:parse_command
+ fun:read_command
+ fun:reader_loop
+ fun:main
+}
+{
<bash>
Memcheck:Leak
fun:malloc

View File

@ -0,0 +1,295 @@
diff -up dovecot-2.3.20/configure.ac.nolibotp dovecot-2.3.20/configure.ac
--- dovecot-2.3.20/configure.ac.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/configure.ac 2023-02-14 16:54:02.118531016 +0100
@@ -854,7 +854,6 @@ src/lib-lua/Makefile
src/lib-mail/Makefile
src/lib-master/Makefile
src/lib-program-client/Makefile
-src/lib-otp/Makefile
src/lib-dovecot/Makefile
src/lib-sasl/Makefile
src/lib-settings/Makefile
diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c
--- dovecot-2.3.20/src/auth/main.c.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/auth/main.c 2023-02-14 16:54:02.118531016 +0100
@@ -19,8 +19,6 @@
#include "password-scheme.h"
#include "passdb-cache.h"
#include "mech.h"
-#include "otp.h"
-#include "mech-otp-common.h"
#include "auth.h"
#include "auth-penalty.h"
#include "auth-token.h"
@@ -283,7 +281,6 @@ static void main_deinit(void)
auth_policy_deinit();
mech_register_deinit(&mech_reg);
- mech_otp_deinit();
mech_deinit(global_auth_settings);
/* allow modules to unregister their dbs/drivers/etc. before freeing
diff -up dovecot-2.3.20/src/auth/Makefile.am.nolibotp dovecot-2.3.20/src/auth/Makefile.am
--- dovecot-2.3.20/src/auth/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/auth/Makefile.am 2023-02-14 16:54:02.118531016 +0100
@@ -45,7 +45,6 @@ AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib-sql \
-I$(top_srcdir)/src/lib-settings \
-I$(top_srcdir)/src/lib-old-stats \
- -I$(top_srcdir)/src/lib-otp \
-I$(top_srcdir)/src/lib-master \
-I$(top_srcdir)/src/lib-oauth2 \
-I$(top_srcdir)/src/lib-ssl-iostream \
@@ -67,7 +66,6 @@ libpassword_la_SOURCES = \
password-scheme-crypt.c \
password-scheme-md5crypt.c \
password-scheme-scram.c \
- password-scheme-otp.c \
password-scheme-pbkdf2.c \
password-scheme-sodium.c
libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS)
@@ -76,7 +74,6 @@ auth_libs = \
libauth.la \
libstats_auth.la \
libpassword.la \
- ../lib-otp/libotp.la \
$(AUTH_LUA_LIBS) \
$(LIBDOVECOT_SQL)
@@ -95,7 +92,6 @@ libauth_la_SOURCES = \
auth-client-connection.c \
auth-master-connection.c \
auth-policy.c \
- mech-otp-common.c \
mech-plain-common.c \
auth-penalty.c \
auth-request.c \
@@ -122,7 +118,6 @@ libauth_la_SOURCES = \
mech-digest-md5.c \
mech-external.c \
mech-gssapi.c \
- mech-otp.c \
mech-scram.c \
mech-apop.c \
mech-winbind.c \
@@ -161,7 +156,6 @@ headers = \
auth-client-connection.h \
auth-common.h \
auth-master-connection.h \
- mech-otp-common.h \
mech-plain-common.h \
mech-digest-md5-private.h \
mech-scram.h \
@@ -260,7 +254,6 @@ test_libs = \
test_libpassword_SOURCES = test-libpassword.c
test_libpassword_LDADD = \
libpassword.la \
- ../lib-otp/libotp.la \
$(CRYPT_LIBS) \
$(LIBDOVECOT_SQL) \
$(LIBSODIUM_LIBS) \
diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c
--- dovecot-2.3.20/src/auth/mech.c.nolibotp 2023-02-14 16:55:38.421231797 +0100
+++ dovecot-2.3.20/src/auth/mech.c 2023-02-14 16:55:38.434231892 +0100
@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo
extern const struct mech_module mech_cram_md5;
extern const struct mech_module mech_digest_md5;
extern const struct mech_module mech_external;
-extern const struct mech_module mech_otp;
extern const struct mech_module mech_scram_sha1;
extern const struct mech_module mech_scram_sha256;
extern const struct mech_module mech_anonymous;
@@ -206,7 +205,6 @@ void mech_init(const struct auth_setting
mech_register_module(&mech_gssapi_spnego);
#endif
}
- mech_register_module(&mech_otp);
mech_register_module(&mech_scram_sha1);
mech_register_module(&mech_scram_sha256);
mech_register_module(&mech_anonymous);
@@ -233,7 +231,6 @@ void mech_deinit(const struct auth_setti
mech_unregister_module(&mech_gssapi_spnego);
#endif
}
- mech_unregister_module(&mech_otp);
mech_unregister_module(&mech_scram_sha1);
mech_unregister_module(&mech_scram_sha256);
mech_unregister_module(&mech_anonymous);
diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/auth/password-scheme.c
--- dovecot-2.3.20/src/auth/password-scheme.c.nolibotp 2023-02-14 16:54:02.109530950 +0100
+++ dovecot-2.3.20/src/auth/password-scheme.c 2023-02-14 16:54:02.119531023 +0100
@@ -13,7 +13,6 @@
#include "randgen.h"
#include "sha1.h"
#include "sha2.h"
-#include "otp.h"
#include "str.h"
#include "password-scheme.h"
@@ -709,32 +708,6 @@ plain_md5_generate(const char *plaintext
*size_r = MD5_RESULTLEN;
}
-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
- const unsigned char *raw_password, size_t size,
- const char **error_r)
-{
- const char *password, *generated;
-
- password = t_strndup(raw_password, size);
- if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) {
- *error_r = "Invalid OTP data in passdb";
- return -1;
- }
-
- return strcasecmp(password, generated) == 0 ? 1 : 0;
-}
-
-static void
-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
- const unsigned char **raw_password_r, size_t *size_r)
-{
- const char *password;
-
- if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0)
- i_unreached();
- *raw_password_r = (const unsigned char *)password;
- *size_r = strlen(password);
-}
static const struct password_scheme builtin_schemes[] = {
{ "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate },
@@ -770,7 +743,6 @@ static const struct password_scheme buil
NULL, plain_md5_generate },
{ "LDAP-MD5", PW_ENCODING_BASE64, MD5_RESULTLEN,
NULL, plain_md5_generate },
- { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate },
{ "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate },
};
diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/auth/password-scheme.h
--- dovecot-2.3.20/src/auth/password-scheme.h.nolibotp 2023-02-14 16:56:50.929759540 +0100
+++ dovecot-2.3.20/src/auth/password-scheme.h 2023-02-14 16:56:50.947759671 +0100
@@ -92,9 +92,6 @@ void password_set_encryption_rounds(unsi
/* INTERNAL: */
const char *password_generate_salt(size_t len);
const char *password_generate_md5_crypt(const char *pw, const char *salt);
-int password_generate_otp(const char *pw, const char *state_data,
- unsigned int algo, const char **result_r)
- ATTR_NULL(2);
int crypt_verify(const char *plaintext,
const struct password_generate_params *params,
diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/auth/test-libpassword.c
--- dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp 2023-02-14 16:54:55.880922175 +0100
+++ dovecot-2.3.20/src/auth/test-libpassword.c 2023-02-14 16:54:55.896922291 +0100
@@ -106,7 +106,6 @@ static void test_password_schemes(void)
test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test");
test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test");
test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test");
- test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test");
test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test");
test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test");
test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test");
diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/test-mech.c
--- dovecot-2.3.20/src/auth/test-mech.c.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/auth/test-mech.c 2023-02-14 16:54:02.119531023 +0100
@@ -8,8 +8,6 @@
#include "auth-request-handler-private.h"
#include "auth-settings.h"
#include "mech-digest-md5-private.h"
-#include "otp.h"
-#include "mech-otp-common.h"
#include "settings-parser.h"
#include "password-scheme.h"
#include "auth-token.h"
@@ -27,7 +25,6 @@ extern const struct mech_module mech_dov
extern const struct mech_module mech_external;
extern const struct mech_module mech_login;
extern const struct mech_module mech_oauthbearer;
-extern const struct mech_module mech_otp;
extern const struct mech_module mech_plain;
extern const struct mech_module mech_scram_sha1;
extern const struct mech_module mech_scram_sha256;
@@ -65,10 +62,7 @@ request_handler_reply_mock_callback(stru
if (request->passdb_result == PASSDB_RESULT_OK)
request->failed = FALSE;
- else if (request->mech == &mech_otp) {
- if (null_strcmp(request->fields.user, "otp_phase_2") == 0)
- request->failed = FALSE;
- } else if (request->mech == &mech_oauthbearer) {
+ else if (request->mech == &mech_oauthbearer) {
}
};
@@ -224,10 +218,6 @@ static void test_mechs(void)
{&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE},
{&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE},
{&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE},
@@ -242,8 +232,6 @@ static void test_mechs(void)
{&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE},
{&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
@@ -255,7 +243,6 @@ static void test_mechs(void)
{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
{&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE},
@@ -297,9 +284,7 @@ static void test_mechs(void)
{&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE},
/* phase 2 */
- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE},
@@ -387,7 +372,6 @@ static void test_mechs(void)
test_end();
} T_END;
- mech_otp_deinit();
auths_deinit();
auth_token_deinit();
password_schemes_deinit();
diff -up dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp dovecot-2.3.20/src/doveadm/Makefile.am
--- dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/doveadm/Makefile.am 2023-02-14 16:54:02.119531023 +0100
@@ -36,8 +36,7 @@ AM_CPPFLAGS = \
$(BINARY_CFLAGS)
cmd_pw_libs = \
- ../auth/libpassword.la \
- ../lib-otp/libotp.la
+ ../auth/libpassword.la
libs = \
dsync/libdsync.la \
diff -up dovecot-2.3.20/src/Makefile.am.nolibotp dovecot-2.3.20/src/Makefile.am
--- dovecot-2.3.20/src/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/Makefile.am 2023-02-14 16:54:02.119531023 +0100
@@ -40,7 +40,6 @@ SUBDIRS = \
lib-index \
lib-storage \
lib-sql \
- lib-otp \
lib-lda \
lib-dict-backend \
anvil \

View File

@ -0,0 +1,200 @@
diff -up dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c
--- dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine 2024-07-23 13:18:35.040720598 -0400
+++ dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c 2024-07-23 13:20:16.250720598 -0400
@@ -20,7 +20,6 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
-#include <openssl/engine.h>
#include <openssl/hmac.h>
#include <openssl/objects.h>
#include <openssl/bn.h>
diff -up dovecot-2.3.21/m4/ssl.m4.noengine dovecot-2.3.21/m4/ssl.m4
--- dovecot-2.3.21/m4/ssl.m4.noengine 2024-05-06 17:39:59.362886891 +0200
+++ dovecot-2.3.21/m4/ssl.m4 2024-05-06 17:42:17.945312656 +0200
@@ -233,6 +233,27 @@ AC_DEFUN([DOVECOT_SSL], [
AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [
AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support])
],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OSSL_PROVIDER_try_load, [
+ AC_DEFINE(HAVE_OSSL_PROVIDER_try_load,, [Build with OSSL_PROVIDER_try_load support])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [
+ AC_DEFINE(HAVE_OPENSSL_init_ssl,, [Build with OPENSSL_init_ssl support])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OPENSSL_cleanup, [
+ AC_DEFINE(HAVE_OPENSSL_cleanup,, [OpenSSL supports OPENSSL_cleanup()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [
+ AC_DEFINE(HAVE_OPENSSL_thread_stop,, [OpenSSL supports OPENSSL_thread_stop()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, ERR_remove_thread_state, [
+ AC_DEFINE(HAVE_ERR_remove_thread_state,, [OpenSSL supports ERR_remove_thread_state()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, ERR_remove_state, [
+ AC_DEFINE(HAVE_ERR_remove_state,, [OpenSSL supports ERR_remove_state()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, ENGINE_by_id_DISABLED, [
+ AC_DEFINE(HAVE_ENGINE_by_id,, [OpenSSL supports ENGINE_by_id() - !!!EXPLICITELY DISABLED!!! ])
+ ],, $SSL_LIBS)
AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [
AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support])
],, $SSL_LIBS)
diff -up dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c
--- dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine 2023-09-14 15:17:46.000000000 +0200
+++ dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c 2024-05-06 17:39:59.363886901 +0200
@@ -3,13 +3,23 @@
#include "lib.h"
#include "randgen.h"
#include "dovecot-openssl-common.h"
+#include "iostream-openssl.h"
#include <openssl/ssl.h>
-#include <openssl/engine.h>
+#include <openssl/err.h>
+#ifdef HAVE_OSSL_PROVIDER_try_load
+# include <openssl/provider.h>
+#else
+# include <openssl/engine.h>
+#endif
#include <openssl/rand.h>
static int openssl_init_refcount = 0;
-static ENGINE *dovecot_openssl_engine;
+#ifdef HAVE_OSSL_PROVIDER_try_load
+static OSSL_PROVIDER *dovecot_openssl_engine = NULL;
+#else
+static ENGINE *dovecot_openssl_engine = NULL;
+#endif
#ifdef HAVE_SSL_NEW_MEM_FUNCS
static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED)
@@ -17,12 +27,14 @@ static void *dovecot_openssl_malloc(size
static void *dovecot_openssl_malloc(size_t size)
#endif
{
+ if (size == 0)
+ return NULL;
/* this may be performance critical, so don't use
i_malloc() or calloc() */
void *mem = malloc(size);
- if (mem == NULL) {
+ if (unlikely(mem == NULL)) {
i_fatal_status(FATAL_OUTOFMEM,
- "OpenSSL: malloc(%zu): Out of memory", size);
+ "OpenSSL: malloc(%zu): Out of memory", size);
}
return mem;
}
@@ -33,10 +45,14 @@ static void *dovecot_openssl_realloc(voi
static void *dovecot_openssl_realloc(void *ptr, size_t size)
#endif
{
+ if (size == 0) {
+ free(ptr);
+ return NULL;
+ }
void *mem = realloc(ptr, size);
- if (mem == NULL) {
+ if (unlikely(mem == NULL)) {
i_fatal_status(FATAL_OUTOFMEM,
- "OpenSSL: realloc(%zu): Out of memory", size);
+ "OpenSSL: realloc(%zu): Out of memory", size);
}
return mem;
}
@@ -63,9 +79,13 @@ void dovecot_openssl_common_global_ref(v
/*i_warning("CRYPTO_set_mem_functions() was called too late");*/
}
+#ifdef HAVE_OPENSSL_init_ssl
+ OPENSSL_init_ssl(0, NULL);
+#else
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
+#endif
}
bool dovecot_openssl_common_global_unref(void)
@@ -76,30 +96,35 @@ bool dovecot_openssl_common_global_unref
return TRUE;
if (dovecot_openssl_engine != NULL) {
+#ifdef HAVE_OSSL_PROVIDER_try_load
+ OSSL_PROVIDER_unload(dovecot_openssl_engine);
+#else
ENGINE_finish(dovecot_openssl_engine);
+#endif
dovecot_openssl_engine = NULL;
}
+#ifdef HAVE_OPENSSL_cleanup
+ OPENSSL_cleanup();
+#else
/* OBJ_cleanup() is called automatically by EVP_cleanup() in
newer versions. Doesn't hurt to call it anyway. */
OBJ_cleanup();
-#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
+# if !defined(OPENSSL_NO_COMP)
SSL_COMP_free_compression_methods();
-#endif
+# endif
ENGINE_cleanup();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
-#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT
+# ifdef HAVE_OPENSSL_thread_stop
/* no cleanup needed */
-#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE)
+# elif defined(HAVE_ERR_remove_thread_state)
/* This was marked as deprecated in v1.1. */
ERR_remove_thread_state(NULL);
-#else
+# elif defined(HAVE_ERR_remove_state)
/* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */
ERR_remove_state(0);
-#endif
+# endif
ERR_free_strings();
-#ifdef HAVE_OPENSSL_CLEANUP
- OPENSSL_cleanup();
#endif
return FALSE;
}
@@ -110,6 +135,7 @@ int dovecot_openssl_common_global_set_en
if (dovecot_openssl_engine != NULL)
return 1;
+#ifdef HAVE_ENGINE_by_id
ENGINE_load_builtin_engines();
dovecot_openssl_engine = ENGINE_by_id(engine);
if (dovecot_openssl_engine == NULL) {
@@ -128,5 +154,15 @@ int dovecot_openssl_common_global_set_en
dovecot_openssl_engine = NULL;
return -1;
}
+#elif defined(HAVE_OSSL_PROVIDER_try_load)
+ if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) {
+ *error_r = t_strdup_printf("Cannot load '%s': %s", engine,
+ openssl_iostream_error());
+ return 0;
+ }
+ return 1;
+#else
+ *error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine);
+#endif
return 1;
}
diff -up dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am
--- dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine 2023-09-14 15:17:46.000000000 +0200
+++ dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am 2024-05-06 17:39:59.363886901 +0200
@@ -5,7 +5,8 @@ NOPLUGIN_LDFLAGS =
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-test \
- -DMODULE_DIR=\""$(moduledir)"\"
+ -DMODULE_DIR=\""$(moduledir)"\" \
+ $(SSL_CFLAGS)
if BUILD_OPENSSL
module_LTLIBRARIES = libssl_iostream_openssl.la

View File

@ -1,7 +1,20 @@
diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-header-parser.c From f020e139c519121d9630a966310ea8e100ee33b7 Mon Sep 17 00:00:00 2001
--- dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 From: Marco Bettini <marco.bettini@open-xchange.com>
+++ dovecot-2.3.16/src/lib-mail/message-header-parser.c 2024-08-20 23:29:25.214183880 +0200 Date: Fri, 12 Apr 2024 15:06:43 +0000
@@ -17,6 +17,9 @@ struct message_header_parser_ctx { Subject: [PATCH 1/2] lib-mail: message-header-parser - Limit header block to
10MB by default
---
src/lib-mail/message-header-parser.c | 48 ++++++++++++----
src/lib-mail/message-header-parser.h | 10 ++++
src/lib-mail/test-message-header-parser.c | 67 +++++++++++++++++++++++
3 files changed, 114 insertions(+), 11 deletions(-)
diff --git a/src/lib-mail/message-header-parser.c b/src/lib-mail/message-header-parser.c
index c5026f1bb7..5e020bbeb3 100644
--- a/src/lib-mail/message-header-parser.c
+++ b/src/lib-mail/message-header-parser.c
@@ -21,6 +21,9 @@ struct message_header_parser_ctx {
string_t *name; string_t *name;
buffer_t *value_buf; buffer_t *value_buf;
@ -11,7 +24,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove
enum message_header_parser_flags flags; enum message_header_parser_flags flags;
bool skip_line:1; bool skip_line:1;
bool has_nuls:1; bool has_nuls:1;
@@ -34,6 +37,7 @@ message_parse_header_init(struct istream @@ -38,6 +41,7 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size,
ctx->name = str_new(default_pool, 128); ctx->name = str_new(default_pool, 128);
ctx->flags = flags; ctx->flags = flags;
ctx->value_buf = buffer_create_dynamic(default_pool, 4096); ctx->value_buf = buffer_create_dynamic(default_pool, 4096);
@ -19,7 +32,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove
i_stream_ref(input); i_stream_ref(input);
if (hdr_size != NULL) if (hdr_size != NULL)
@@ -41,6 +45,21 @@ message_parse_header_init(struct istream @@ -45,6 +49,21 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size,
return ctx; return ctx;
} }
@ -41,7 +54,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove
void message_parse_header_deinit(struct message_header_parser_ctx **_ctx) void message_parse_header_deinit(struct message_header_parser_ctx **_ctx)
{ {
struct message_header_parser_ctx *ctx = *_ctx; struct message_header_parser_ctx *ctx = *_ctx;
@@ -73,6 +92,7 @@ int message_parse_header_next(struct mes @@ -77,6 +96,7 @@ int message_parse_header_next(struct message_header_parser_ctx *ctx,
/* new header line */ /* new header line */
line->name_offset = ctx->input->v_offset; line->name_offset = ctx->input->v_offset;
colon_pos = UINT_MAX; colon_pos = UINT_MAX;
@ -49,8 +62,8 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove
buffer_set_used_size(ctx->value_buf, 0); buffer_set_used_size(ctx->value_buf, 0);
} }
@@ -326,33 +346,39 @@ int message_parse_header_next(struct mes @@ -342,33 +362,39 @@ int message_parse_header_next(struct message_header_parser_ctx *ctx,
line->middle = str_data(ctx->name) + line->name_len + 1; }
} }
+ line->value_len = I_MIN(line->value_len, ctx->header_block_max_size); + line->value_len = I_MIN(line->value_len, ctx->header_block_max_size);
@ -100,9 +113,10 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dove
line->full_value = ctx->value_buf->data; line->full_value = ctx->value_buf->data;
line->full_value_len = ctx->value_buf->used; line->full_value_len = ctx->value_buf->used;
} else { } else {
diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-header-parser.h diff --git a/src/lib-mail/message-header-parser.h b/src/lib-mail/message-header-parser.h
--- dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 index ce0825c8e5..43cf95e56a 100644
+++ dovecot-2.3.16/src/lib-mail/message-header-parser.h 2024-08-20 22:55:36.530652449 +0200 --- a/src/lib-mail/message-header-parser.h
+++ b/src/lib-mail/message-header-parser.h
@@ -1,6 +1,9 @@ @@ -1,6 +1,9 @@
#ifndef MESSAGE_HEADER_PARSER_H #ifndef MESSAGE_HEADER_PARSER_H
#define MESSAGE_HEADER_PARSER_H #define MESSAGE_HEADER_PARSER_H
@ -113,7 +127,7 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dove
#define IS_LWSP(c) \ #define IS_LWSP(c) \
((c) == ' ' || (c) == '\t') ((c) == ' ' || (c) == '\t')
@@ -48,6 +51,13 @@ message_parse_header_init(struct istream @@ -48,6 +51,13 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size,
enum message_header_parser_flags flags) ATTR_NULL(2); enum message_header_parser_flags flags) ATTR_NULL(2);
void message_parse_header_deinit(struct message_header_parser_ctx **ctx); void message_parse_header_deinit(struct message_header_parser_ctx **ctx);
@ -127,85 +141,11 @@ diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dove
/* Read and return next header line. Returns 1 if header is returned, 0 if /* Read and return next header line. Returns 1 if header is returned, 0 if
input stream is non-blocking and more data needs to be read, -1 when all is input stream is non-blocking and more data needs to be read, -1 when all is
done or error occurred (see stream's error status). */ done or error occurred (see stream's error status). */
diff -up dovecot-2.3.16/src/lib-mail/message-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser.c diff --git a/src/lib-mail/test-message-header-parser.c b/src/lib-mail/test-message-header-parser.c
--- dovecot-2.3.16/src/lib-mail/message-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 index 700d3413f1..93d8842002 100644
+++ dovecot-2.3.16/src/lib-mail/message-parser.c 2024-08-20 22:55:36.531652458 +0200 --- a/src/lib-mail/test-message-header-parser.c
@@ -617,7 +617,18 @@ static int parse_next_header(struct mess +++ b/src/lib-mail/test-message-header-parser.c
} @@ -463,6 +463,71 @@ static void test_message_header_parser_extra_crlf_in_name(void)
if (ret < 0) {
/* no boundary */
+ size_t headers_available =
+ ctx->all_headers_max_size > ctx->all_headers_total_size ?
+ ctx->all_headers_max_size - ctx->all_headers_total_size : 0;
+ message_parse_header_lower_limit(ctx->hdr_parser_ctx, headers_available);
ret = message_parse_header_next(ctx->hdr_parser_ctx, &hdr);
+ if (ret > 0) {
+ if (!hdr->continues) {
+ ctx->all_headers_total_size += hdr->name_len;
+ ctx->all_headers_total_size += hdr->middle_len;
+ }
+ ctx->all_headers_total_size += hdr->value_len;
+ }
if (ret == 0 || (ret < 0 && ctx->input->stream_errno != 0)) {
ctx->want_count = i_stream_get_data_size(ctx->input) + 1;
return ret;
@@ -762,6 +773,9 @@ message_parser_init_int(struct istream *
ctx->max_total_mime_parts = set->max_total_mime_parts != 0 ?
set->max_total_mime_parts :
MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS;
+ ctx->all_headers_max_size = set->all_headers_max_size != 0 ?
+ set->all_headers_max_size :
+ MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE;
ctx->input = input;
i_stream_ref(input);
return ctx;
@@ -779,6 +793,7 @@ message_parser_init(pool_t part_pool, st
ctx->next_part = &ctx->part->children;
ctx->parse_next_block = parse_next_header_init;
ctx->total_parts_count = 1;
+ ctx->all_headers_total_size = 0;
i_array_init(&ctx->next_part_stack, 4);
return ctx;
}
diff -up dovecot-2.3.16/src/lib-mail/message-parser.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser.h
--- dovecot-2.3.16/src/lib-mail/message-parser.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-parser.h 2024-08-20 22:55:36.531652458 +0200
@@ -19,6 +19,7 @@ enum message_parser_flags {
#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000
+#define MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE ((size_t) 50 * 1024*1024)
struct message_parser_settings {
enum message_header_parser_flags hdr_flags;
@@ -30,6 +31,11 @@ struct message_parser_settings {
/* Maximum MIME parts in total.
0 = MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS. */
unsigned int max_total_mime_parts;
+
+ /* Maximum bytes fore headers in top header plus all
+ MIME sections headers
+ 0 = MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE */
+ size_t all_headers_max_size;
};
struct message_parser_ctx;
diff -up dovecot-2.3.16/src/lib-mail/message-parser-private.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser-private.h
--- dovecot-2.3.16/src/lib-mail/message-parser-private.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-parser-private.h 2024-08-20 22:55:36.531652458 +0200
@@ -30,6 +30,8 @@ struct message_parser_ctx {
enum message_parser_flags flags;
unsigned int max_nested_mime_parts;
unsigned int max_total_mime_parts;
+ size_t all_headers_max_size;
+ size_t all_headers_total_size;
char *last_boundary;
struct message_boundary *boundaries;
diff -up dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/test-message-header-parser.c
--- dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/test-message-header-parser.c 2024-08-20 23:23:18.169196280 +0200
@@ -332,6 +332,71 @@ static void test_message_header_parser_n
test_end(); test_end();
} }
@ -277,18 +217,112 @@ diff -up dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185
int main(void) int main(void)
{ {
static void (*const test_functions[])(void) = { static void (*const test_functions[])(void) = {
@@ -341,6 +406,8 @@ int main(void) @@ -473,6 +538,8 @@ int main(void)
test_message_header_parser_extra_cr_in_eoh,
test_message_header_parser_no_eoh, test_message_header_parser_no_eoh,
test_message_header_parser_nul, test_message_header_parser_nul,
test_message_header_parser_extra_crlf_in_name,
+ test_message_header_truncation_flag0, + test_message_header_truncation_flag0,
+ test_message_header_truncation_clean_oneline, + test_message_header_truncation_clean_oneline,
NULL NULL
}; };
return test_run(test_functions); return test_run(test_functions);
diff -up dovecot-2.3.16/src/lib-mail/test-message-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/test-message-parser.c
--- dovecot-2.3.16/src/lib-mail/test-message-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200 From ce88c33abc37e408592eff70aeefa28f803effb9 Mon Sep 17 00:00:00 2001
+++ dovecot-2.3.16/src/lib-mail/test-message-parser.c 2024-08-20 22:55:36.531652458 +0200 From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Wed, 24 Apr 2024 10:45:46 +0000
Subject: [PATCH 2/2] lib-mail: message-parser - Limit headers total count to
50MB by default
(including top headers and all mime-sections headers)
---
src/lib-mail/message-parser-private.h | 2 +
src/lib-mail/message-parser.c | 15 +++
src/lib-mail/message-parser.h | 6 +
src/lib-mail/test-message-parser.c | 154 ++++++++++++++++++++++++++
4 files changed, 177 insertions(+)
diff --git a/src/lib-mail/message-parser-private.h b/src/lib-mail/message-parser-private.h
index 41c32daf3a..8b362a9e71 100644
--- a/src/lib-mail/message-parser-private.h
+++ b/src/lib-mail/message-parser-private.h
@@ -30,6 +30,8 @@ struct message_parser_ctx {
enum message_parser_flags flags;
unsigned int max_nested_mime_parts;
unsigned int max_total_mime_parts;
+ size_t all_headers_max_size;
+ size_t all_headers_total_size;
char *last_boundary;
struct message_boundary *boundaries;
diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
index 9a9c9a3515..c7e3b1e96a 100644
--- a/src/lib-mail/message-parser.c
+++ b/src/lib-mail/message-parser.c
@@ -617,7 +617,18 @@ static int parse_next_header(struct message_parser_ctx *ctx,
}
if (ret < 0) {
/* no boundary */
+ size_t headers_available =
+ ctx->all_headers_max_size > ctx->all_headers_total_size ?
+ ctx->all_headers_max_size - ctx->all_headers_total_size : 0;
+ message_parse_header_lower_limit(ctx->hdr_parser_ctx, headers_available);
ret = message_parse_header_next(ctx->hdr_parser_ctx, &hdr);
+ if (ret > 0) {
+ if (!hdr->continues) {
+ ctx->all_headers_total_size += hdr->name_len;
+ ctx->all_headers_total_size += hdr->middle_len;
+ }
+ ctx->all_headers_total_size += hdr->value_len;
+ }
if (ret == 0 || (ret < 0 && ctx->input->stream_errno != 0)) {
ctx->want_count = i_stream_get_data_size(ctx->input) + 1;
return ret;
@@ -762,6 +773,9 @@ message_parser_init_int(struct istream *input,
ctx->max_total_mime_parts = set->max_total_mime_parts != 0 ?
set->max_total_mime_parts :
MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS;
+ ctx->all_headers_max_size = set->all_headers_max_size != 0 ?
+ set->all_headers_max_size :
+ MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE;
ctx->input = input;
i_stream_ref(input);
return ctx;
@@ -779,6 +793,7 @@ message_parser_init(pool_t part_pool, struct istream *input,
ctx->next_part = &ctx->part->children;
ctx->parse_next_block = parse_next_header_init;
ctx->total_parts_count = 1;
+ ctx->all_headers_total_size = 0;
i_array_init(&ctx->next_part_stack, 4);
return ctx;
}
diff --git a/src/lib-mail/message-parser.h b/src/lib-mail/message-parser.h
index f19e526284..8d70d73f05 100644
--- a/src/lib-mail/message-parser.h
+++ b/src/lib-mail/message-parser.h
@@ -19,6 +19,7 @@ enum message_parser_flags {
#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000
+#define MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE ((size_t) 50 * 1024*1024)
struct message_parser_settings {
enum message_header_parser_flags hdr_flags;
@@ -30,6 +31,11 @@ struct message_parser_settings {
/* Maximum MIME parts in total.
0 = MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS. */
unsigned int max_total_mime_parts;
+
+ /* Maximum bytes fore headers in top header plus all
+ MIME sections headers
+ 0 = MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE */
+ size_t all_headers_max_size;
};
struct message_parser_ctx;
diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
index 663bfe8c5a..b6bada2303 100644
--- a/src/lib-mail/test-message-parser.c
+++ b/src/lib-mail/test-message-parser.c
@@ -1369,6 +1369,158 @@ static const char input_msg[] = @@ -1369,6 +1369,158 @@ static const char input_msg[] =
test_end(); test_end();
} }

View File

@ -1,6 +1,6 @@
diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/auth/auth-token.c
--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/auth/auth-token.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100 +++ dovecot-2.3.18/src/auth/auth-token.c 2022-02-09 09:27:15.887883359 +0100
@@ -161,17 +161,17 @@ void auth_token_deinit(void) @@ -161,17 +161,17 @@ void auth_token_deinit(void)
const char *auth_token_get(const char *service, const char *session_pid, const char *auth_token_get(const char *service, const char *session_pid,
const char *username, const char *session_id) const char *username, const char *session_id)
@ -26,9 +26,9 @@ diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/aut
return binary_to_hex(result, sizeof(result)); return binary_to_hex(result, sizeof(result));
} }
diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/auth/mech-cram-md5.c
--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100 +++ dovecot-2.3.18/src/auth/mech-cram-md5.c 2022-02-09 09:27:15.887883359 +0100
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr @@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
{ {
@ -52,10 +52,10 @@ diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/
response_hex = binary_to_hex(digest, sizeof(digest)); response_hex = binary_to_hex(digest, sizeof(digest));
diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/auth/mech-scram.c
--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100 +++ dovecot-2.3.18/src/auth/mech-scram.c 2022-02-09 09:31:50.927146858 +0100
@@ -78,7 +78,7 @@ static const char *get_scram_server_firs @@ -93,7 +93,7 @@ get_scram_server_first(struct scram_auth
static const char *get_scram_server_final(struct scram_auth_request *request) static const char *get_scram_server_final(struct scram_auth_request *request)
{ {
const struct hash_method *hmethod = request->hash_method; const struct hash_method *hmethod = request->hash_method;
@ -64,7 +64,7 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut
const char *auth_message; const char *auth_message;
unsigned char server_signature[hmethod->digest_size]; unsigned char server_signature[hmethod->digest_size];
string_t *str; string_t *str;
@@ -87,9 +87,9 @@ static const char *get_scram_server_fina @@ -109,9 +109,9 @@ static const char *get_scram_server_fina
request->server_first_message, ",", request->server_first_message, ",",
request->client_final_message_without_proof, NULL); request->client_final_message_without_proof, NULL);
@ -75,9 +75,9 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); + openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, server_signature); + openssl_hmac_final(&ctx, server_signature);
str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature))); /* RFC 5802, Section 7:
str_append(str, "v=");
@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str @@ -292,7 +292,7 @@ parse_scram_client_first(struct scram_au
static bool verify_credentials(struct scram_auth_request *request) static bool verify_credentials(struct scram_auth_request *request)
{ {
const struct hash_method *hmethod = request->hash_method; const struct hash_method *hmethod = request->hash_method;
@ -86,7 +86,7 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut
const char *auth_message; const char *auth_message;
unsigned char client_key[hmethod->digest_size]; unsigned char client_key[hmethod->digest_size];
unsigned char client_signature[hmethod->digest_size]; unsigned char client_signature[hmethod->digest_size];
@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc @@ -310,9 +310,9 @@ static bool verify_credentials(struct sc
request->server_first_message, ",", request->server_first_message, ",",
request->client_final_message_without_proof, NULL); request->client_final_message_without_proof, NULL);
@ -97,11 +97,11 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); + openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, client_signature); + openssl_hmac_final(&ctx, client_signature);
/* ClientProof := ClientKey XOR ClientSignature */
const unsigned char *proof_data = request->proof->data; const unsigned char *proof_data = request->proof->data;
for (i = 0; i < sizeof(client_signature); i++) diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme.c
diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c --- dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 +++ dovecot-2.3.18/src/auth/password-scheme.c 2022-02-09 09:27:15.888883345 +0100
+++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100
@@ -639,11 +639,11 @@ static void @@ -639,11 +639,11 @@ static void
cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
const unsigned char **raw_password_r, size_t *size_r) const unsigned char **raw_password_r, size_t *size_r)
@ -116,9 +116,9 @@ diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/sr
strlen(plaintext), &hash_method_md5); strlen(plaintext), &hash_method_md5);
hmac_md5_get_cram_context(&ctx, context_digest); hmac_md5_get_cram_context(&ctx, context_digest);
diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme-scram.c
--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/auth/password-scheme-scram.c 2022-02-09 09:27:15.888883345 +0100
@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co @@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
const unsigned char *salt, size_t salt_size, unsigned int i, const unsigned char *salt, size_t salt_size, unsigned int i,
unsigned char *result) unsigned char *result)
@ -208,9 +208,9 @@ diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3
str_append_c(str, ','); str_append_c(str, ',');
base64_encode(server_key, sizeof(server_key), str); base64_encode(server_key, sizeof(server_key), str);
diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c
--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/lib/hmac.c 2022-02-09 09:27:15.888883345 +0100
@@ -7,6 +7,10 @@ @@ -7,6 +7,10 @@
* This software is released under the MIT license. * This software is released under the MIT license.
*/ */
@ -448,9 +448,9 @@ diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
- safe_memset(prk, 0, sizeof(prk)); - safe_memset(prk, 0, sizeof(prk));
- safe_memset(okm, 0, sizeof(okm)); - safe_memset(okm, 0, sizeof(okm));
} }
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.c
--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/lib/hmac-cram-md5.c 2022-02-09 09:27:15.888883345 +0100
@@ -9,10 +9,10 @@ @@ -9,10 +9,10 @@
#include "md5.h" #include "md5.h"
#include "hmac-cram-md5.h" #include "hmac-cram-md5.h"
@ -477,9 +477,9 @@ diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/l
const unsigned char *cdp; const unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx; struct md5_context *ctx = (void*)hmac_ctx->ctx;
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.h
--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/lib/hmac-cram-md5.h 2022-02-09 09:27:15.888883345 +0100
@@ -5,9 +5,9 @@ @@ -5,9 +5,9 @@
#define CRAM_MD5_CONTEXTLEN 32 #define CRAM_MD5_CONTEXTLEN 32
@ -492,9 +492,9 @@ diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/l
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h
--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/hmac.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/lib/hmac.h 2022-02-09 09:27:15.888883345 +0100
@@ -4,60 +4,97 @@ @@ -4,60 +4,97 @@
#include "hash-method.h" #include "hash-method.h"
#include "sha1.h" #include "sha1.h"
@ -606,9 +606,9 @@ diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
okm_buffer, okm_len); okm_buffer, okm_len);
return okm_buffer; return okm_buffer;
} }
diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c 2022-02-09 09:27:15.888883345 +0100
@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha @@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
size_t *token_len_r) size_t *token_len_r)
@ -629,10 +629,10 @@ diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-
*token_len_r = SHA1_RESULTLEN + 1; *token_len_r = SHA1_RESULTLEN + 1;
return token; return token;
diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/Makefile.am
--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/Makefile.am.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100 +++ dovecot-2.3.18/src/lib/Makefile.am 2022-02-09 09:27:15.889883331 +0100
@@ -352,6 +352,9 @@ headers = \ @@ -354,6 +354,9 @@ headers = \
wildcard-match.h \ wildcard-match.h \
write-full.h write-full.h
@ -642,10 +642,10 @@ diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/M
test_programs = test-lib test_programs = test-lib
noinst_PROGRAMS = $(test_programs) noinst_PROGRAMS = $(test_programs)
diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100 +++ dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100
@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2 @@ -144,14 +144,14 @@ oauth2_validate_hmac(const struct oauth2
if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
return -1; return -1;
@ -666,10 +666,10 @@ diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/s
buffer_t *their_digest = buffer_t *their_digest =
t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100 +++ dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100
@@ -236,7 +236,7 @@ static void save_key_to(const char *algo @@ -248,7 +248,7 @@ static void save_key_azp_to(const char *
static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
{ {
i_assert(key != NULL); i_assert(key != NULL);
@ -678,7 +678,7 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3
tokenbuf); tokenbuf);
buffer_append(tokenbuf, ".", 1); buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_ @@ -258,7 +258,7 @@ static void sign_jwt_token_hs256(buffer_
static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
{ {
i_assert(key != NULL); i_assert(key != NULL);
@ -687,7 +687,7 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3
tokenbuf); tokenbuf);
buffer_append(tokenbuf, ".", 1); buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_ @@ -268,7 +268,7 @@ static void sign_jwt_token_hs384(buffer_
static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
{ {
i_assert(key != NULL); i_assert(key != NULL);
@ -696,9 +696,9 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3
tokenbuf); tokenbuf);
buffer_append(tokenbuf, ".", 1); buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5.c
--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100 +++ dovecot-2.3.18/src/lib/pkcs5.c 2022-02-09 09:27:15.889883331 +0100
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
unsigned char dk[l * hash->digest_size]; unsigned char dk[l * hash->digest_size];
@ -733,9 +733,9 @@ diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5
for(i = 0; i < hash->digest_size; i++) for(i = 0; i < hash->digest_size; i++)
block[i] ^= U_c[i]; block[i] ^= U_c[i];
} }
diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/test-hmac.c
--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 --- dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100 +++ dovecot-2.3.18/src/lib/test-hmac.c 2022-02-09 09:27:15.889883331 +0100
@@ -206,11 +206,11 @@ static void test_hmac_rfc(void) @@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
test_begin("hmac sha256 rfc4231 vectors"); test_begin("hmac sha256 rfc4231 vectors");
for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {

View File

@ -0,0 +1,25 @@
m4: crypt_xxpg6.m4: Define _DEFAULT_SOURCE for current glibc
Current glibc no longer implements the CRYPT extension, so it does not
declare crypt in <unistd.h> in strict standard modes. The check
defines _XOPEN_SOURCE, which enables one of these modes. Defining
_DEFAULT_SOURCE as well again makes available the crypt function
prototype.
This avoids a configure check result change with compilers which do
not support implicit function declarations.
Submitted upstream: <https://github.com/dovecot/core/pull/193>
diff --git a/m4/crypt_xpg6.m4 b/m4/crypt_xpg6.m4
index 0085b2ac76..3a288a3713 100644
--- a/m4/crypt_xpg6.m4
+++ b/m4/crypt_xpg6.m4
@@ -6,6 +6,7 @@ AC_DEFUN([DOVECOT_CRYPT_XPG6], [
#define _XOPEN_SOURCE 4
#define _XOPEN_SOURCE_EXTENDED 1
#define _XOPEN_VERSION 4
+ #define _DEFAULT_SOURCE
#define _XPG4_2
#define _XPG6
#include <unistd.h>

View File

@ -1,26 +1,28 @@
%global __provides_exclude_from %{_docdir} %global __provides_exclude_from %{_docdir}
%global __requires_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir}
Summary: Secure imap and pop3 server Summary: Secure imap and pop3 server
Name: dovecot Name: dovecot
Epoch: 1 Epoch: 1
Version: 2.3.16 Version: 2.3.21
%global prever %{nil} %global prever %{nil}
Release: 6%{?dist} Release: 15%{?dist}
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT and LGPLv2 License: MIT AND LGPL-2.1-only
Group: System Environment/Daemons
URL: http://www.dovecot.org/ URL: https://www.dovecot.org/
Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source1: dovecot.init Source1: dovecot.init
Source2: dovecot.pam Source2: dovecot.pam
%global pigeonholever 0.5.16 %global pigeonholever 0.5.21
Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd Source10: dovecot.tmpfilesd
#our own #our own
Source14: dovecot.conf.5 Source14: dovecot.conf.5
Source15: prestartscript
Source16: dovecot.sysusers
# 3x Fedora/RHEL specific # 3x Fedora/RHEL specific
Patch1: dovecot-2.0-defaultconfig.patch Patch1: dovecot-2.0-defaultconfig.patch
@ -32,60 +34,67 @@ Patch6: dovecot-2.1.10-waitonline.patch
Patch8: dovecot-2.2.20-initbysystemd.patch Patch8: dovecot-2.2.20-initbysystemd.patch
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
Patch10: dovecot-2.3.0.1-libxcrypt.patch
# sent upstream, rhbz#1630380 Patch15: dovecot-2.3.11-bigkey.patch
Patch11: dovecot-2.2.36-aclfix.patch
Patch13: dovecot-2.2.36-bigkey.patch
# do not use own implementation of HMAC, use OpenSSL for certification purposes # do not use own implementation of HMAC, use OpenSSL for certification purposes
# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
# hard to break circular dependency between lib and lib-dcrypt # hard to break circular dependency between lib and lib-dcrypt
Patch14: dovecot-2.3.6-opensslhmac.patch Patch16: dovecot-2.3.6-opensslhmac.patch
# from upstream, for dovecot < 2.3.17, s390x FTBFS fix # FTBFS
Patch15: dovecot-2.3.16-ftbfsbigend.patch Patch17: dovecot-2.3.15-fixvalcond.patch
Patch16: dovecot-2.3.16-keeplzma.patch Patch18: dovecot-2.3.15-valbasherr.patch
Patch20: dovecot-2.3.14-opensslv3.patch
Patch21: dovecot-2.3.19.1-7bad6a24.patch
Patch22: dovecot-configure-c99.patch
# from upstream, for <= 2.3.19.1, rhbz#2106232 # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
Patch17: dovecot-2.3.19.1-7bad6a24.patch Patch23: dovecot-2.3.20-nolibotp.patch
# from upstream, for < 2.3.19.1, rhbz#2128857 # adapted from 2.4 dovecot, issue #RHEL-33733
Patch18: dovecot-2.3.18-9f300239..4596d399.patch Patch24: dovecot-2.3.21-noengine.patch
Patch19: dovecot-2.3.18-bdf447e4.patch
# from upstream, for < 2.3.21, RHEL-22854 # sent upstream, issue #RHEL-52541
Patch20: dovecot-2.3.16-d7705bc6.patch Patch25: dovecot-2.3-ph_optglob.patch
Patch26: dovecot-2.3-ph_scriptcmp.patch
# from upstream for < 2.3.21.1, RHEL-55206
# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Patch21: dovecot-2.3.21.1-CVE-2024-23184.patch
# from upstream for < 2.3.21.1, RHEL-55219
# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch
# fix test failing due to too long path with all the mock path prefixes # fix test failing due to too long path with all the mock path prefixes
Patch23: dovecot-2.3.21-test-socket-path.patch Patch27: dovecot-2.3.21-test-socket-path.patch
Source15: prestartscript # from upstream for < 2.3.21.1, RHEL-55205
# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch
BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel # from upstream for < 2.3.21.1, RHEL-55218
# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch
BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: libtool, autoconf, automake, pkgconfig
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: postgresql-devel BuildRequires: libpq-devel
#BuildRequires: libpq-devel
BuildRequires: mariadb-connector-c-devel BuildRequires: mariadb-connector-c-devel
#BuildRequires: libxcrypt-devel BuildRequires: libxcrypt-devel
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
BuildRequires: quota-devel BuildRequires: quota-devel
BuildRequires: xz-devel BuildRequires: xz-devel
BuildRequires: lz4-devel BuildRequires: lz4-devel
BuildRequires: libzstd-devel
%if %{?rhel}0 == 0
BuildRequires: libsodium-devel
BuildRequires: lua-devel
%endif
BuildRequires: libicu-devel
%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38
BuildRequires: libexttextcat-devel
BuildRequires: clucene-core-devel
%endif
BuildRequires: multilib-rpm-config BuildRequires: multilib-rpm-config
#BuildRequires: libsodium-devel BuildRequires: flex, bison
#BuildRequires: libexttextcat-devel BuildRequires: systemd-devel
#BuildRequires: libstemmer-devel BuildRequires: systemd-rpm-macros
# gettext-devel is needed for running autoconf because of the # gettext-devel is needed for running autoconf because of the
# presence of AM_ICONV # presence of AM_ICONV
@ -96,33 +105,17 @@ Requires: openssl >= 0.9.7f-4
# Package includes an initscript service file, needs to require initscripts package # Package includes an initscript service file, needs to require initscripts package
Requires(pre): shadow-utils Requires(pre): shadow-utils
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
Requires: systemd Requires: systemd
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%else
Requires: initscripts
Requires(post): chkconfig
Requires(preun): chkconfig initscripts
Requires(postun): initscripts
%endif
%if %{?fedora}0 > 150 || %{?rhel}0 >60
#clucene in fedora <=15 and rhel<=6 is too old
BuildRequires: clucene-core-devel
%endif
%global ssldir %{_sysconfdir}/pki/%{name} %global ssldir %{_sysconfdir}/pki/%{name}
%if %{?fedora}00%{?rhel} < 6
%global _initddir %{_initrddir}
BuildRequires: curl-devel expat-devel
%else
BuildRequires: libcurl-devel expat-devel BuildRequires: libcurl-devel expat-devel
%endif BuildRequires: make
%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install
%description %description
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
@ -134,8 +127,7 @@ The SQL drivers and authentication plug-ins are in their subpackages.
%package pigeonhole %package pigeonhole
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Sieve and managesieve plug-in for dovecot Summary: Sieve and managesieve plug-in for dovecot
Group: System Environment/Daemons License: MIT AND LGPL-2.1-only
License: MIT and LGPLv2
%description pigeonhole %description pigeonhole
This package provides sieve and managesieve plug-in for dovecot LDA. This package provides sieve and managesieve plug-in for dovecot LDA.
@ -143,60 +135,68 @@ This package provides sieve and managesieve plug-in for dovecot LDA.
%package pgsql %package pgsql
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Postgres SQL back end for dovecot Summary: Postgres SQL back end for dovecot
Group: System Environment/Daemons
%description pgsql %description pgsql
This package provides the Postgres SQL back end for dovecot-auth etc. This package provides the Postgres SQL back end for dovecot-auth etc.
%package mysql %package mysql
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: MySQL back end for dovecot Summary: MySQL back end for dovecot
Group: System Environment/Daemons
%description mysql %description mysql
This package provides the MySQL back end for dovecot-auth etc. This package provides the MySQL back end for dovecot-auth etc.
%package devel %package devel
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Development files for dovecot Summary: Development files for dovecot
Group: Development/Libraries
%description devel %description devel
This package provides the development files for dovecot. This package provides the development files for dovecot.
%prep %prep
%setup -q -n %{name}-%{version}%{?prever} -a 8 %setup -q -n %{name}-%{version}%{?prever} -a 8
# standardize name, so we don't have to update patches and scripts
mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
%patch -P 1 -p1 -b .default-settings %patch -P 1 -p1 -b .default-settings
%patch -P 2 -p1 -b .mkcert-permissions %patch -P 2 -p1 -b .mkcert-permissions
%patch -P 3 -p1 -b .mkcert-paths %patch -P 3 -p1 -b .mkcert-paths
%patch -P 6 -p1 -b .waitonline %patch -P 6 -p1 -b .waitonline
%patch -P 8 -p1 -b .initbysystemd %patch -P 8 -p1 -b .initbysystemd
%patch -P 9 -p1 -b .systemd_w_protectsystem %patch -P 9 -p1 -b .systemd_w_protectsystem
%patch -P 11 -p1 -b .aclfix %patch -P 15 -p1 -b .bigkey
%patch -P 13 -p1 -b .bigkey %patch -P 16 -p1 -b .opensslhmac
%patch -P 14 -p1 -b .opensslhmac %patch -P 17 -p1 -b .fixvalcond
%patch -P 15 -p1 -b .ftbfsbigend %patch -P 18 -p1 -b .valbasherr
%patch -P 16 -p1 -b .keeplzma %patch -P 20 -p1 -b .opensslv3
%patch -P 17 -p1 -b .7bad6a24 %patch -P 21 -p1 -b .7bad6a24
%patch -P 19 -p1 -b .bdf447e4 %patch -P 22 -p1 -b .c99
%patch -P 20 -p1 -b .d7705bc6 %patch -P 23 -p1 -b .nolibotp
%patch -P 21 -p1 -b .CVE-2024-23184 %patch -P 24 -p1 -b .noengine
%patch -P 22 -p1 -b .CVE-2024-23185 %patch -P 25 -p1 -b .ph_optglob
%patch -P 23 -p1 -b .test-socket-path %patch -P 26 -p1 -b .ph_scriptcmp
pushd dovecot-2*3-pigeonhole-%{pigeonholever} %patch -P 27 -p1 -b .test-socket-path
%patch -P 18 -p1 -b .9f300239..4596d399 %patch -P 28 -p1 -b .CVE-2024-23184
%patch -P 29 -p1 -b .CVE-2024-23185
popd cp run-test-valgrind.supp dovecot-pigeonhole/
# valgrind would fail with shell wrapper
echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude
#pushd dovecot-pigeonhole
#popd
%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
%endif
# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
rm -rf src/lib-otp
%build %build
#required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
%global _hardened_build 1 %global _hardened_build 1
export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
# el6 autoconf too old to regen; use packaged files (#1082384)
%if %{?fedora}00%{?rhel} > 6
mkdir -p m4 mkdir -p m4
autoreconf -I . -fiv #required for aarch64 support autoreconf -I . -fiv #required for aarch64 support
%endif
%configure \ %configure \
INSTALL_DATA="install -c -p -m644" \ INSTALL_DATA="install -c -p -m644" \
--with-rundir=%{_rundir}/%{name} \ --with-rundir=%{_rundir}/%{name} \
@ -214,20 +214,32 @@ autoreconf -I . -fiv #required for aarch64 support
--with-mysql \ --with-mysql \
--with-sqlite \ --with-sqlite \
--with-zlib \ --with-zlib \
--with-zstd \
--with-libcap \ --with-libcap \
--with-icu \
%if %{?rhel}0 == 0
--with-lua=plugin \
%endif
%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38
--with-lucene \ --with-lucene \
--with-exttextcat \
%else
--without-lucene \
--without-exttextcat \
%endif
--without-libstemmer \
--with-ssl=openssl \ --with-ssl=openssl \
--with-ssldir=%{ssldir} \ --with-ssldir=%{ssldir} \
--with-solr \ --with-solr \
--with-systemdsystemunitdir=%{_unitdir} \ --with-docs \
--with-docs systemdsystemunitdir=%{_unitdir}
sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf
make %{?_smp_mflags} %make_build
#pigeonhole #pigeonhole
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-pigeonhole
# required for snapshot # required for snapshot
[ -f configure ] || autoreconf -fiv [ -f configure ] || autoreconf -fiv
@ -239,13 +251,13 @@ pushd dovecot-2*3-pigeonhole-%{pigeonholever}
--with-dovecot=../ \ --with-dovecot=../ \
--without-unfinished-features --without-unfinished-features
make %{?_smp_mflags} %make_build
popd popd
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT %make_install
# move doc dir back to build dir so doc macro in files section can use it # move doc dir back to build dir so doc macro in files section can use it
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
@ -253,18 +265,14 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
# fix multilib issues # fix multilib issues
%multilib_fix_c_header --file %{_includedir}/dovecot/config.h %multilib_fix_c_header --file %{_includedir}/dovecot/config.h
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-pigeonhole
make install DESTDIR=$RPM_BUILD_ROOT %make_install
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
popd popd
%if %{?fedora}00%{?rhel} < 6
sed -i 's|password-auth|system-auth|' %{SOURCE2}
%endif
install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot
#install man pages #install man pages
@ -273,6 +281,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
#install waitonline script #install waitonline script
install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers
# generate ghost .pem files # generate ghost .pem files
mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
mkdir -p $RPM_BUILD_ROOT%{ssldir}/private mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
@ -281,14 +291,9 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem
touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf
%else
install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
%endif
mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login}
# Install dovecot configuration and dovecot-openssl.cnf # Install dovecot configuration and dovecot-openssl.cnf
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d
@ -315,84 +320,72 @@ popd
%pre %pre
#dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid
getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot %sysusers_create_compat %{SOURCE16}
getent passwd dovecot >/dev/null || \
useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
getent group dovenull >/dev/null || groupadd -r dovenull if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
getent passwd dovenull >/dev/null || \ then
useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull # during LEAPP upgrade, services are not running anyway
# do not let dovecot run during upgrade rhbz#134325 # do not let dovecot run during upgrade rhbz#134325
if [ "$1" = "2" ]; then if [ "$1" = "2" ]; then
rm -f %restart_flag rm -f %restart_flag
%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
/bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: /bin/systemctl stop %{name}.service >/dev/null 2>&1
/bin/systemctl stop %{name}.service >/dev/null 2>&1 fi
%else
/sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||:
/sbin/service %{name} stop >/dev/null 2>&1
%endif
fi fi
%post %post
if [ $1 -eq 1 ] if [ $1 -eq 1 ]
then then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
%systemd_post dovecot.service %systemd_post dovecot.service
%else
/sbin/chkconfig --add %{name}
%endif
fi fi
install -d -m 0755 -g dovecot -d /var/run/dovecot install -d -m 0755 -g dovecot -d /run/dovecot
install -d -m 0755 -d /var/run/dovecot/empty install -d -m 0755 -d /run/dovecot/empty
install -d -m 0750 -g dovenull -d /var/run/dovecot/login install -d -m 0750 -g dovenull -d /run/dovecot/login
install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login install -d -m 0750 -g dovenull -d /run/dovecot/token-login
[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||: [ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||:
%preun %preun
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || :
/bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || :
%else rm -rf /run/dovecot
/sbin/service %{name} stop > /dev/null 2>&1
/sbin/chkconfig --del %{name}
%endif
rm -rf /var/run/dovecot
fi fi
%postun %postun
%if %{?fedora}0 > 140 || %{?rhel}0 > 60 if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
/bin/systemctl daemon-reload >/dev/null 2>&1 || : then
%endif # during LEAPP upgrade, services are not running anyway
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" -a -e %restart_flag ]; then if [ "$1" -ge "1" -a -e %restart_flag ]; then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
/bin/systemctl start dovecot.service >/dev/null 2>&1 || : rm -f %restart_flag
%else fi
/sbin/service %{name} start >/dev/null 2>&1 || :
%endif
rm -f %restart_flag
fi fi
%posttrans %posttrans
# dovecot should be started again in %%postun, but it's not executed on reinstall
# if it was already started, restart_flag won't be here, so it's ok to test it again if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
if [ -e %restart_flag ]; then then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60 # during LEAPP upgrade, services are not running anyway
# dovecot should be started again in %%postun, but it's not executed on reinstall
# if it was already started, restart_flag won't be here, so it's ok to test it again
if [ -e %restart_flag ]; then
/bin/systemctl start dovecot.service >/dev/null 2>&1 || : /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
%else rm -f %restart_flag
/sbin/service %{name} start >/dev/null 2>&1 || : fi
%endif
rm -f %restart_flag
fi fi
%check %check
%ifnarch aarch64
# some aarch64 tests timeout, skip for now
make check make check
cd dovecot-2*3-pigeonhole-%{pigeonholever} cd dovecot-pigeonhole
make check make check
%endif
%files %files
%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README %doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README
@ -404,15 +397,11 @@ make check
%{_bindir}/dovecot-sysreport %{_bindir}/dovecot-sysreport
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
%_tmpfilesdir/dovecot.conf %_tmpfilesdir/dovecot.conf
%{_sysusersdir}/dovecot.sysusers
%{_unitdir}/dovecot.service %{_unitdir}/dovecot.service
%{_unitdir}/dovecot-init.service %{_unitdir}/dovecot-init.service
%{_unitdir}/dovecot.socket %{_unitdir}/dovecot.socket
%else
%{_initddir}/dovecot
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot
%endif
%dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot
%dir %{_sysconfdir}/dovecot/conf.d %dir %{_sysconfdir}/dovecot/conf.d
@ -464,6 +453,9 @@ make check
%{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so %{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so
%{_libdir}/dovecot/auth/libauthdb_imap.so %{_libdir}/dovecot/auth/libauthdb_imap.so
%{_libdir}/dovecot/auth/libauthdb_ldap.so %{_libdir}/dovecot/auth/libauthdb_ldap.so
%if %{?rhel}0 == 0
%{_libdir}/dovecot/auth/libauthdb_lua.so
%endif
%{_libdir}/dovecot/auth/libmech_gssapi.so %{_libdir}/dovecot/auth/libmech_gssapi.so
%{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/auth/libdriver_sqlite.so
%{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so
@ -483,10 +475,10 @@ make check
%{_libexecdir}/%{name} %{_libexecdir}/%{name}
%exclude %{_libexecdir}/%{name}/managesieve* %exclude %{_libexecdir}/%{name}/managesieve*
%dir %attr(0755,root,dovecot) %ghost /var/run/dovecot %dir %attr(0755,root,dovecot) %ghost /run/dovecot
%attr(0750,root,dovenull) %ghost /var/run/dovecot/login %attr(0750,root,dovenull) %ghost /run/dovecot/login
%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login %attr(0750,root,dovenull) %ghost /run/dovecot/token-login
%attr(0755,root,root) %ghost /var/run/dovecot/empty %attr(0755,root,root) %ghost /run/dovecot/empty
%attr(0750,dovecot,dovecot) /var/lib/dovecot %attr(0750,dovecot,dovecot) /var/lib/dovecot
@ -544,117 +536,338 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so %{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog %changelog
* Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.3.21-15
- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219) - Bump release for October 2024 mass rebuild:
- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206) Resolves: RHEL-64018
* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5 * Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-14
- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854) - fix CVE-2024-23185: very large headers can cause resource exhaustion
when parsing message (RHEL-55218)
- fix CVE-2024-23184: using a large number of address headers may trigger
a denial of service (RHEL-55205)
* Fri Aug 04 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4 * Mon Aug 05 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-13
- fix leaking mailboxes if virtual mailbox can't be opened (#2128857) - fix crash when user has sieve script that includes two missing scripts (RHEL-52541)
* Tue Jul 19 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3 * Tue Jul 23 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-12
- fix possible privilege escalation when similar master and non-master passdbs are used (#2106231) - fix building with noengine openssl
* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:2.3.21-11
- do not disable xz/lzma for now despite being deprecated - Bump release for June 2024 mass rebuild
* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1 * Tue Jun 18 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-10
- set min uid to 1000
* Thu Jun 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-9
- do not run during systemd commands during leap upgrade
* Tue Jun 11 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-8
- drop dependency on libstemmer (#RHEL-40657)
* Mon May 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-7
- do not use deprecated openssl v3 engine api (#RHEL-33733)
* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.21-6
- Rebuild for ICU 74
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.21-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.21-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Oct 24 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-3
- drop lucene to reduce dependency, use solr for fts instead
* Thu Oct 05 2023 Remi Collet <remi@remirepo.net> - 1:2.3.21-2
- rebuild for new libsodium
* Mon Sep 18 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-1
- updated to 2.3.21(2239134)
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.20-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jul 11 2023 František Zatloukal <fzatlouk@redhat.com> - 1:2.3.20-5
- Rebuilt for ICU 73.2
* Wed Apr 26 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-4
- update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
* Tue Feb 14 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-3
- drop SHA1 OTP
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.20-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 02 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-1
- updated to 2.3.20, pigeonhole to 0.5.20
* Mon Jan 02 2023 Florian Weimer <fweimer@redhat.com> - 1:2.3.19.1-8
- Port configure script to C99
* Sat Dec 31 2022 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.19.1-7
- Rebuild for ICU 72
* Tue Nov 08 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-6
- use Wants=network-online.target instead of preexec nm-online (#2095949)
* Tue Oct 11 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-5
- build with lua support (#2132420)
* Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 1:2.3.19.1-4
- Rebuilt for ICU 71.1
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.19.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-2
- fix possible privilege escalation when similar master and non-master passdbs are used
* Mon Jun 20 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-1
- updated to 2.3.19.1
* Mon May 30 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19-1
- updated to 2.3.19, pigeonhole to 0.5.19
* Wed Feb 09 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.18-1
- updated to 2.3.18, pigeonhole to 0.5.18
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.17.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Dec 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.17.1-1
- dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1
- dsync: Add back accidentically removed parameters.
- lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error
without errno.
- dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large.
* Tue Nov 02 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.17-1
- dovecot updated to 2.3.17, pigeonhole to 0.5.17
* Tue Sep 28 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- reenable LTO
* Mon Sep 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- fix OpenSSLv3 issues 2005884
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1:2.3.16-2
- Rebuilt with OpenSSL 3.0.0
* Fri Aug 20 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
- dovecot updated to 2.3.16, pigeonhole to 0.5.16 - dovecot updated to 2.3.16, pigeonhole to 0.5.16
- fix CVE-2021-33515 plaintext commands injection (#1980014) - fixes several regressions
* Wed Feb 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-9 * Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.15-2
- fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534) - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 12 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-8 * Mon Jun 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
- fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019) - dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
- CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
- Add TSLv1.3 support to min_protocols.
- Allow configuring ssl_cipher_suites. (for TLSv1.3+)
* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-7 * Wed May 19 2021 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.14-4
- change run directory from /var/run to /run (#1805947) - Rebuild for ICU 69
* Wed Dec 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-6 * Wed May 19 2021 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.14-3
- fix mail storage block count parsing (#1894418) - Rebuild for ICU 69
- MIME parser crashed when boundaries were wrong (#1888111)
* Mon Nov 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-5 * Mon May 10 2021 Jeff Law <jlaw@tachyum.com> - 1:2.3.14-2
- multilib compatibility (#1853137) - Re-enable LTO
* Fri Aug 07 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-4 * Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1
- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756) - dovecot updated to 2.3.14, pigeonhole to 0.5.14
- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761) - use OpenSSL's implementation of HMAC
- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768) - Remove autocreate, expire, snarf and mail-filter plugins.
- Remove cydir storage driver.
- Remove XZ/LZMA write support. Read support will be removed in future release.
* Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3 * Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1:2.3.13-7
- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354) - rebuild for libpq ABI fix rhbz#1908268
- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines
leads to use-after-free (#1840357)
- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
leads to DoS (#1840356)
* Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2 * Mon Feb 01 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-6
- fix default attributes for ghost files - use make macros
* Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.13-5
- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117) - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10 * Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-4
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte - fix multilib issues
* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-3
- bump release and rebuild
* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-2
- fix rundir location
* Wed Jan 06 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-1
- fix release number
* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-0
- dovecot updated to 2.3.13, pigeonhole to 0.5.13
- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
- Metric filter and global event filter variable syntax changed to a
SQL-like format.
- auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
- auth: Removed postfix postmap socket
* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
- change run directory from /var/run to /run (#1777922)
* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-6
- use bigger default key size (#1882939)
* Wed Sep 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-5
- fix gssapi issue
* Wed Aug 26 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-4
- fix FTBFS on 32bit systems
* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 1:2.3.11.3-2
- Disable LTO
* Sat Aug 15 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-1
- CVE-2020-12100: Parsing mails with a large number of MIME parts could
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
- dovecot updated to 2.3.10.1
- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
- dovecot updated to 2.3.9.3
- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
submission-login and lmtp processes.
- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
- CVE-2019-19722: Mails with group addresses in From or To fields
caused crash in push notification drivers.
* Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9
* Thu Oct 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
- dovecot updated to 2.3.8, pigeonhole 0.5.8
* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap when scanning data in quoted strings, leading to out of bounds heap
memory writes (#1741788) memory writes
* Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9 * Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1
- reset errno before iterating through users (#1630410) - dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1
* Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.6-4
- fix CVE-2019-3814: improper certificate validation (#1674370) - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 14 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-7 * Fri May 31 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-3
- do not print error message when restorecon is not present - disable gcc 9 stack reuse temporarily
during install (#1626395)
- change default config to use minimal UID = 1000 (#1630410)
* Mon Jun 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-6 * Mon May 13 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-2
- use OpenSSl implementation of HMAC, disable CRAM-MD5 when FIPS is enabled (#1618749) - use /run instead of /var/run (#1706372)
* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-5 * Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1
- make key not that bigger (#1618714) - dovecot updated to 2.3.6, pigeonhole updated to 0.5.6
* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-4 * Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
- generated key was too small (#1618714) - dovecot updated to 2.3.5.2
- fixes CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is enabled.
* Wed Sep 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-3 * Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1
- fix global ACL directory configuration search path (#1630383) - dovecot updated to 2.3.5.1
- update first/last_valid_gid range patch (#1630410) - CVE-2019-7524: Missing input buffer size validation leads into
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index.
* Mon Jul 30 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-2 * Wed Mar 06 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5-1
- fix defaut permissions of gost run files - dovecot updated to 2.3.5, pigeonhole updated to 0.5.5
* Thu Jun 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-1 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.4-3
- dovecot updated to 2.2.36, pigeonhole to 0.4.24 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu May 24 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-3 * Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:2.3.4-2
- disable tcp_wrappers as it's not available in rhel8 - Rebuilt for libcrypt.so.2 (#1666033)
* Thu Apr 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-2 * Wed Jan 09 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.4-1
- include crypt.h explicitely - dovecot updated to 2.3.4, pigeonhole updated to 0.5.4
* Wed Mar 21 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-1 * Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.3-1
- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 - dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3
- doveconf hides more secrets now in the default output
- NUL bytes in mail headers can cause truncated replies when fetched.
- virtual plugin: Some searches used 100% CPU for many seconds
- dsync assert-crashed with acl plugin in some situations.
- imapc: Fixed various assert-crashes when reconnecting to server.
* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.34-1
- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 * Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-4
- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive - fix dovecot-init service syntax error (#1635017)
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has * Mon Aug 13 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-3
local_name { } or local { } configuration blocks and attacker uses - do not try to generate ssl-params as its obsolete (#1614640)
randomly generated SNI servernames.
- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.2.1-2
leak memory contents to attacker. For example, these memory contents - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
might contain parts of an email from another user if the same imap
process is reused for multiple users. * Tue Jul 10 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-1
- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login - SSL/TLS servers may have crashed during client disconnection
process.
* Mon Jul 09 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2-1
- dovecot updated to 2.3.2, pigeonhole to 0.5.2
* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-2
- fix ftbfs - murmurhash3 check fail
* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-1
- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1
* Tue Mar 27 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-3
- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520)
* Wed Mar 07 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-2
- add gcc buildrequire
* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-1
- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5
- Escape macros in %%changelog - Escape macros in %%changelog

9
dovecot.sysusers Normal file
View File

@ -0,0 +1,9 @@
#Type Name ID GECOS Home directory Shell
g dovecot 97
u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
m dovecot dovecot
g dovenull -
u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
m dovenull dovenull

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

34
plans/tier1.fmf Normal file
View File

@ -0,0 +1,34 @@
---
summary: Tier1 plan for dovecot
discover:
how: fmf
url: https://pkgs.devel.redhat.com/git/tests/dovecot
ref: master
filter: tier:1
prepare:
- how: shell
script: |
set -euxo pipefail
ENABLE_REPO_CMD="yum-config-manager --enable"
if command -v dnf >/dev/null 2>&1; then
ENABLE_REPO_CMD="dnf config-manager --set-enabled"
fi
${ENABLE_REPO_CMD} beaker-tasks || :
- how: shell
script: |
set -exuo pipefail
if [[ -f /etc/os-release ]]; then
. /etc/os-release
if [[ "${ID:-}" == "rhel" && "${VERSION_ID%%.*}" -ge 8 ]]; then
dnf config-manager --enable rhel-CRB
fi
fi
execute:
how: tmt

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (dovecot-2.3.21.tar.gz) = 2d463c38639c3fd3d617ee5b1a4e4d0c11362339c4d4d62a5a90164a8b10bc58919545679bbf379139bdb743fdb013033abfddc1fc6401eb8099463cdc2401ca
SHA512 (dovecot-2.3-pigeonhole-0.5.21.tar.gz) = 5537444025a474ee1b79919a424e24530695aec639361c531257f25fac286673719d476906d99d47e348deb57baa75419bff7dd284c82d2b751334dedec96314