Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: dovecot

dovecot (1:2.2.33.2-1ubuntu4) bionic; urgency=medium * SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability - debian/patches/CVE-2017-14461/*.patch: upstream parsing fixes. - CVE-2017-14461 * SECURITY UPDATE: TLS SNI config lookups DoS - debian/patches/CVE-2017-15130/*.patch: upstream config filtering fix. - CVE-2017-15130 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 26 Feb 2018 12:34:24 -0500 dovecot (1:2.2.33.2-1ubuntu3) bionic; urgency=medium * SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion - debian/patches/CVE-2017-15132.patch: fix memory leak in auth_client_request_abort() in src/lib-auth/auth-client-request.c. - debian/patches/CVE-2017-15132-additional.patch: remove request after abort in src/lib-auth/auth-client-request.c, src/lib-auth/auth-server-connection.c, src/lib-auth/auth-serser-connection.h. - CVE-2017-15132 -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Fri, 23 Feb 2018 09:49:11 -0500 dovecot (1:2.2.33.2-1ubuntu2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:41:35 +0000 dovecot (1:2.2.33.2-1ubuntu1) bionic; urgency=medium * Merge with Debian unstable. Remaining changes: - Add updated autopkgtest to debian/tests/*. - Drop build dependency on libstemmer-dev (universe) - Add mail-stack-delivery - add package in d/rules, d/control - add d/*mail-stack-delivery* maintainer scripts and default conf - d/mail-stack-delivery.preinst: Move previously installed backups and config files to a new package namespace. - d/mail-stack-delivery.README.Debian clarified use of configuration files - handle conffile removal of /etc/init/dovecot.conf (due to dropping upstart). Can be removed once no upgrade path from <yakkety is left. - Disable dovecot-lucene plugin as it had various issues and is deprecated in favor of solr anyway (LP 1524526). * Dropped changes (in Debian): - Use Snakeoil SSL certificates by default - d/control: Depend on ssl-cert * Added changes: - d/mail-stack-delivery.postinst: Use ssl key/cert paths now set up by dovecot-core; transition for such configs formerly set up by mail-stack-delivery to use the new default ssl config (if user had no conffile change or choses new defaults). - d/mail-stack-delivery.postinst: if moving dovecot to the new defaults on upgrade, also move the related postfix key/cert entries. - debian/99-mail-stack-delivery.conf: do not explicitly enable protocols as all installed are auto-included from the base config now. - adapt autopkgtests to match new version. - d/control: for the ssl transition to work we need to ensure dovecot-core is complete before upgrading mail-stack-delivery, so add a Pre-Depends. - d/mail-stack-delivery.postinst: add SSL_CERT/SSL_KEY detection to postconf section (was formerly initialized at the now dropped key setup) - d/mail-stack-delivery.postinst: fix SSL_CERT/SSL_KEY detection to only read non-comments from the right keywords and to strip common bad-chars - d/mail-stack-delivery.postinst: stop modifying mandatory tls config, recent upstream has sane defaults now - debian/99-mail-stack-delivery.conf: drop explicit ssl_cipher_list, recent upstream has sane defaults now -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 16 Aug 2017 16:50:29 +0200

Modifications :
  1. Download patch debian/mail-stack-delivery.postinst

    --- 1:2.2.33.2-1/debian/mail-stack-delivery.postinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/mail-stack-delivery.postinst 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,188 @@ +#!/bin/sh + +set -e + +POSTFIX_BCKFILE="/var/backups/mail-stack-delivery/main.cf-backup" + +set_postfix_option() { + opt="$1" + # Backup the existion value of the option + postconf $(echo ${opt} | cut -d= -f1) >> ${POSTFIX_BCKFILE} || true + # Set the new value of the option + postconf -e "${opt}" + echo -n '.' +} + +backup() { + file="${1}" + if [ -e "${file}" ]; then + backup=$(mktemp "${file}.backup.XXXXX") + echo "Backing up old ${file} to ${backup}" + mv "${file}" "${backup}" + fi +} + +if [ "$1" = "configure" ]; then + # Note: ssl upgrade handling can be dropped after 18.04 as snakeoil + # support is in Debian now + # - this section formerly set up the symlinks to snakeoil (now dovecot-core) + # - /etc/dovecot/conf.d/10-ssl.conf is managed by ucf in dovecot-core since + # this version + # - due to depends this will run AFTER the configure of dovecot-core + # - This is special since Debian took different (better) config paths + # - Keys are now set up by dovecot-core, but we need to care about old + # configs done by mail-stack-delivery to "transfer" as smooth as possible. + # The old config by mail-stack-delivery was: keys prepared (different + # paths), but not enabled in /etc/dovecot/conf.d/10-ssl.conf + # + # First part: SSL upgrade handling mail-stack-delivery -> dovecot-core + # We have the following cases on upgrade: + # A - If a user opted to take the new config + # A1 - formerly used the default config, then ssl was prepared but not + # enabled. So in this case just create the same default as a "new + # install" would now (default -> default without collisions). + # A2 - formerly used a custom config but now chose maintainers version. + # This throws away custom ssl config intentionally - set it up as + # on a new install as well in that case. + # So A1 == A2 and would be the default, but if mail-stack-delivery was + # installed the existance of /etc/dovecot/private/dovecot.pem has + # blocked the creation of the new keys in dovecot-core. + # B - If a user kept a custom config, then we keep all files as-is to + # continue to work as it was before and not set up any "new" ssl things. + # A/B can be fully decided AFTER dovecot-core installed (via query to ucf) + # Since mail-stack-delivery depends on dovecot-core it will be configured + # after it. + # + # Second part: SSL upgrade handling mail-stack-delivery -> dovecot-core + # If a user opted to "keep" an old custom 10-ssl.conf he won't get the + # enablement via that. + # Therefore if 99-mail-stack-delivery.conf matched the old logged md5sum + # it was auto-upgraded, but in this special case we want to keep it. + # + # - le-nl considers empty versions (new install) as greater, so no match + # in that case (as intended) + if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:2.2.33.2-1ubuntu1~"; then + msdconf="/etc/dovecot/conf.d/99-mail-stack-delivery.conf" + sslconf="/etc/dovecot/conf.d/10-ssl.conf" + customconf=$(ucfq --with-colons "${sslconf}" | cut -d':' -f 4) + if [ ! "x${customconf}" = "xYes" ]; then + # Default config is in use, set up keys + newcert="/etc/dovecot/private/dovecot.pem" + oldcert="/etc/dovecot/dovecot.pem" + newkey="/etc/dovecot/private/dovecot.key" + oldkey="/etc/dovecot/private/dovecot.pem" + # Remove old mail-stack-delivery SSL artifacts + # (Never really remove, as it could be complex or expensive to restore) + echo "The system is using the new Dovecot Key/Cert paths," + echo "update Key/Cert formerly set up by mail-stack-delivery to match." + backup "/etc/dovecot/dovecot.pem" + backup "/etc/dovecot/private/dovecot.pem" + # Backup potential other artifact on the key path + backup "/etc/dovecot/private/dovecot.key" + # Add debian-core style snakeoil links + ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem "${newcert}" + ln -s /etc/ssl/private/ssl-cert-snakeoil.key "${newkey}" + # Once here the user chose to take the new defaults, so we "moved" the + # formerly used cert paths in dovecot (above), in this case we also need + # to modify the postfix conf to follow as well. + if [ -f "/etc/postfix/main.cf" ]; then # postfix conf exists + if [ -f "$POSTFIX_BCKFILE" ]; then # this is a "normal" case modified by mail-stack-delivery + curcert=$(postconf smtpd_tls_cert_file | cut -d= -f2 | tr -d ' ') + curkey=$(postconf smtpd_tls_key_file | cut -d= -f2 | tr -d ' ') + if [ "${curcert}" = "${oldcert}" -a "${curkey}" = "${oldkey}" ]; then + # Config is still on the defaults that mail-stack-delivery set up + echo "Postfix conf still on mail-stack-delivery defaults, auto-following dovecot changes" + set_postfix_option "smtpd_tls_cert_file = ${newcert}" + set_postfix_option "smtpd_tls_key_file = ${newkey}" + else + echo "Dovecot/Mail-Stack-Delivery now use the new default key paths" + echo "key: ${newkey}" + echo "cert: ${newcert}" + echo "But the local postfix configuration was modified," + echo "thereby postfix will not be updated automatically." + echo "Current postfix-key: ${curkey}" + echo "Current postfix-cert: ${curcert}" + echo "Please update manually to match your required configuration" + fi + fi + fi + else + # Kept custom config, so we want to ensure we don't auto-upgrade + # 99-mail-stack-delivery.conf to the ssl disabled version that relies on + # 10-ssl.conf to do so. + if [ -e "${msdconf}.olddefault" ]; then + echo "Custom ${sslconf}, so retain former ${msdconf}" + mv "${msdconf}" "${msdconf}.newdefault" + backup "${msdconf}.newdefault" + mv "${msdconf}.olddefault" "${msdconf}" + fi + fi + # remove unconditionally after upgrade handling, keep backup for fallback + backup "${msdconf}.olddefault" + fi + + # Configure postfix either on new install + # or if the postfix backup file is no longer there + # (only deleted when the pkg is removed) + if [ -f "/etc/postfix/main.cf" ]; then + if [ -e "$POSTFIX_BCKFILE" ]; then + cp "$POSTFIX_BCKFILE" "${POSTFIX_BCKFILE}-$(date +%Y%m%d%H%M)" + fi + if [ -z "$2" -o ! -e "$POSTFIX_BCKFILE" ]; then + if which postconf >/dev/null; then + # Setup postfix + SSL_CERT=$( (grep -m 1 "^ssl_cert" /etc/dovecot/conf.d/10-ssl.conf || echo '/etc/ssl/certs/dovecot.pem') | cut -d'=' -f2 | tr -d '< ') + SSL_KEY=$( (grep -m 1 "^ssl_key" /etc/dovecot/conf.d/10-ssl.conf || echo '/etc/ssl/private/dovecot.pem') | cut -d'=' -f2 | tr -d '< ') + echo 'Mail stack delivery changes some postfix settings.' + echo 'Old values are stored in '$POSTFIX_BCKFILE'.' + echo 'Feel free to revert any of them when the process is done.' + echo 'Configuring postfix for mail-stack-delivery integration: ' + set_postfix_option "home_mailbox = Maildir/" + set_postfix_option "smtpd_sasl_auth_enable = yes" + set_postfix_option "smtpd_sasl_type = dovecot" + set_postfix_option "smtpd_sasl_path = private/dovecot-auth" + set_postfix_option "smtpd_sasl_authenticated_header = yes" + set_postfix_option "smtpd_sasl_security_options = noanonymous" + set_postfix_option "smtpd_sasl_local_domain = \$myhostname" + set_postfix_option "broken_sasl_auth_clients = yes" + set_postfix_option "smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination" + set_postfix_option "smtpd_sender_restrictions = reject_unknown_sender_domain" + set_postfix_option "mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m \"\${EXTENSION}\"" + set_postfix_option "smtpd_tls_cert_file = ${SSL_CERT}" + set_postfix_option "smtpd_tls_key_file = ${SSL_KEY}" + set_postfix_option "smtpd_use_tls = yes" + set_postfix_option "smtp_use_tls = yes" + set_postfix_option "smtpd_tls_received_header = yes" + set_postfix_option "smtpd_tls_auth_only = yes" + set_postfix_option "tls_random_source = dev:/dev/urandom" + echo ' done.' + fi + fi + else + echo "" + echo "Postfix not configured. Run" + echo "sudo dpkg-reconfigure postfix and choose" + echo "the type of mail server. Then run" + echo "sudo dpkg-reconfigure mail-stack-delivery to" + echo "finish mail-stack-delivery installation." + echo "" + fi + + if [ -x "/etc/init.d/dovecot" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d dovecot restart + else + service dovecot restart + fi + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix restart + else + service postfix restart + fi + fi + +fi + +#DEBHELPER#
  2. Download patch debian/mail-stack-delivery.README.Debian

    --- 1:2.2.33.2-1/debian/mail-stack-delivery.README.Debian 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/mail-stack-delivery.README.Debian 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,24 @@ +Introduction +------------------- + +Mail-stack-delivery will not install any binary or library files. This package +contains only configuration file /etc/dovecot/mail-stack-delivery.conf with +configuration prerpared by Ubuntu Server Team. + +The matching configuration for dovecot is placed in: + /etc/dovecot/conf.d/99-mail-stack-delivery.conf + +During installation of package, it modifies postfix's configuration and +stores original version of /etc/postfix/main.cf in /var/backup/mail-stack-delivery. + +Features of mail-stack-delivery: +---------------------------- + +- IMAP4rev1 and POP3, including support for TLS and SSL +- SMTP, including support for TLS and SSL +- support for sieve scripting +- managesieve for managing sieve scripts directly on server +- dovecot MDA, including extensions separated with '+' +- Maildir storage engine +- SASL authentication (plain and login) +- support only for medium and high TLS/SSL ciphers
  3. Download patch debian/tests/testlib_dovecot.py

    --- 1:2.2.33.2-1/debian/tests/testlib_dovecot.py 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/tests/testlib_dovecot.py 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,140 @@ +#!/usr/bin/python3 +''' + Packages required: dovecot-imapd dovecot-pop3d +''' + +import subprocess, shutil, grp, os, os.path, sys, time, socket + +class Dovecot: + def get_mailbox(self): + return self.mailbox + + def __init__(self,user,config=None): + '''Create test scenario. + + dovecot is configured for all protocols (imap[s] and pop3[s]), a test + user is set up, and /var/mail/$user contains an unread and a read mail. + ''' + + self.old_version = False + if config == None: + config=''' +protocols = imap pop3 +log_timestamp = "%Y-%m-%d %H:%M:%S " +mail_privileged_group = mail +managesieve_notify_capability = mailto +managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext +mmap_disable = yes +ssl = yes +ssl_cert = </etc/dovecot/private/dovecot.pem +ssl_key = </etc/dovecot/private/dovecot.key +auth_mechanisms = PLAIN +mail_location = mbox:~/mail:INBOX=/var/mail/%u +service auth { + user = root +} +protocol pop3 { + pop3_uidl_format = %08Xu%08Xv +} +userdb { + driver = passwd +} +passdb { + driver = passwd-file + args = username_format=%n scheme=PLAIN /etc/dovecot/test.passwd +} +''' + + # make sure that /etc/inetd.conf exists to avoid init script errors + self.created_inetdconf = False + if not os.path.exists('/etc/inetd.conf'): + open('/etc/inetd.conf', 'a').close() + self.created_inetdconf = True + + # configure and restart dovecot + if not os.path.exists('/etc/dovecot/dovecot.conf.autotest'): + shutil.copyfile('/etc/dovecot/dovecot.conf', '/etc/dovecot/dovecot.conf.autotest') + with open('/etc/dovecot/dovecot.conf', 'w') as cfgfile: + cfgfile.write(config) + + with open('/etc/dovecot/test.passwd','w') as f: + f.write('%s:{plain}%s\n' % (user.login, user.password)) + + # restart will fail if dovecot is not already running + subprocess.call(['service', 'dovecot', 'stop'], stdout=subprocess.PIPE) + # systemd rate limit will kill it without a bit of sleep (max 5 in 10 sec) + time.sleep(3) + subprocess.check_call(['service', 'dovecot', 'start'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + + # Dovecot is not immediately available, wait for sockets + start = time.time() + for dovesock in ['master', 'config', 'anvil']: + if (time.time() - start) > 60: + raise TimeoutError("could not reach dovecot sockets") + server_address = '/var/run/dovecot/%s' % dovesock + connected = False + while not connected: + try: + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + sock.connect(server_address) + connected = True + sock.close() + except socket.error as err: + time.sleep(1) + pass # just retry + + self.running = True + + # create test mailbox with one new and one old mail + self.mailbox = '/var/mail/' + user.login + self.orig_mbox = \ +'''From test1@test1.com Fri Nov 17 02:21:08 2006 +Date: Thu, 16 Nov 2006 17:12:23 -0800 +From: Test User 1 <test1@test1.com> +To: Dovecot tester <dovecot@test.com> +Subject: Test 1 +Status: N + +Some really important news. + +From test2@test1.com Tue Nov 28 11:29:34 2006 +Date: Tue, 28 Nov 2006 11:29:34 +0100 +From: Test User 2 <test2@test2.com> +To: Dovecot tester <dovecot@test.com> +Subject: Test 2 +Status: R + +More news. + +Get cracking! +''' + with open(self.mailbox, 'w') as f: + f.write(self.orig_mbox) + os.chown(self.mailbox, user.uid, grp.getgrnam('mail')[2]) + os.chmod(self.mailbox, 0o660) + + def __del__(self): + if self.running: + self.close() + + def close(self): + assert self.running + + # restore original configuration and restart dovecot + os.rename('/etc/dovecot/dovecot.conf.autotest', '/etc/dovecot/dovecot.conf') + # quiesce, default configuration has no protocols + subprocess.call(['service', 'dovecot', 'restart'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + + if self.created_inetdconf: + os.unlink('/etc/inetd.conf') + + self.running = False + + def get_ssl_fingerprint(self): + pem = '/etc/ssl/certs/dovecot.pem' + if not os.path.exists(pem): + pem = '/etc/ssl/certs/ssl-cert-snakeoil.pem' + + sp = subprocess.Popen(['openssl','x509','-in',pem,'-noout','-md5','-fingerprint'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True) + return sp.communicate(None)[0].split('=',1)[1].strip() +
  4. Download patch debian/tests/general
  5. Download patch debian/tests/control

    --- 1:2.2.33.2-1/debian/tests/control 2017-10-13 13:02:58.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/tests/control 2017-08-16 14:50:29.000000000 +0000 @@ -8,3 +8,9 @@ Depends: dovecot-core, systemd-sysv Test-Command: run-parts --report --exit-on-error debian/tests/usage Depends: dovecot-imapd, dovecot-pop3d, python3 Restrictions: needs-root, breaks-testbed, allow-stderr + +# the old Ubuntu tests +Tests: general +Restrictions: needs-root +Features: no-build-needed +Depends: python3, dovecot-imapd, dovecot-pop3d, dovecot-managesieved, mail-stack-delivery, init-system-helpers
  6. Download patch debian/patches/CVE-2017-14461/0006-lib-mail-Refactor-code-to-make-the-next-commit-small.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-14461/0006-lib-mail-Refactor-code-to-make-the-next-commit-small.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-14461/0006-lib-mail-Refactor-code-to-make-the-next-commit-small.patch 2018-02-26 17:31:18.000000000 +0000 @@ -0,0 +1,94 @@ +From 18a7a161c8dae6f630770a3cbab7374a0c3dd732 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@dovecot.fi> +Date: Tue, 9 Jan 2018 11:33:59 -0500 +Subject: [PATCH 6/7] lib-mail: Refactor code to make the next commit smaller + +--- + src/lib-mail/message-address.c | 4 ++-- + src/lib-mail/message-id.c | 30 +++++++++++++----------------- + src/lib-mail/message-parser.c | 5 ++--- + 3 files changed, 17 insertions(+), 22 deletions(-) + +diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c +index 88d638a..afeef88 100644 +--- a/src/lib-mail/message-address.c ++++ b/src/lib-mail/message-address.c +@@ -400,9 +400,9 @@ message_address_parse_real(pool_t pool, const unsigned char *data, size_t size, + + if (rfc822_skip_lwsp(&ctx.parser) <= 0) { + /* no addresses */ +- return NULL; ++ } else { ++ (void)parse_address_list(&ctx, max_addresses); + } +- (void)parse_address_list(&ctx, max_addresses); + return ctx.first_addr; + } + +diff --git a/src/lib-mail/message-id.c b/src/lib-mail/message-id.c +index d6aa357..772535b 100644 +--- a/src/lib-mail/message-id.c ++++ b/src/lib-mail/message-id.c +@@ -9,6 +9,7 @@ static bool get_untokenized_msgid(const char **msgid_p, string_t *msgid) + { + struct rfc822_parser_context parser; + int ret; ++ bool success = FALSE; + + rfc822_parser_init(&parser, (const unsigned char *)*msgid_p, + strlen(*msgid_p), NULL); +@@ -27,23 +28,18 @@ static bool get_untokenized_msgid(const char **msgid_p, string_t *msgid) + ret = rfc822_parse_quoted_string(&parser, msgid); + else + ret = rfc822_parse_dot_atom(&parser, msgid); +- if (ret <= 0) +- return FALSE; +- +- if (*parser.data != '@') +- return FALSE; +- str_append_c(msgid, '@'); +- parser.data++; +- rfc822_skip_lwsp(&parser); +- +- if (rfc822_parse_dot_atom(&parser, msgid) <= 0) +- return FALSE; +- +- if (*parser.data != '>') +- return FALSE; +- +- *msgid_p = (const char *)parser.data + 1; +- return TRUE; ++ if (ret > 0 && *parser.data == '@') { ++ str_append_c(msgid, '@'); ++ parser.data++; ++ rfc822_skip_lwsp(&parser); ++ ++ if (rfc822_parse_dot_atom(&parser, msgid) > 0 && ++ *parser.data == '>') { ++ *msgid_p = (const char *)parser.data + 1; ++ success = TRUE; ++ } ++ } ++ return success; + } + + static void strip_lwsp(char *str) +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 8caf7d8..b95448a 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -499,9 +499,8 @@ static void parse_content_type(struct message_parser_ctx *ctx, + ctx->part->flags |= MESSAGE_PART_FLAG_MULTIPART_DIGEST; + } + +- if (ret < 0) +- return; +- if ((ctx->part->flags & MESSAGE_PART_FLAG_MULTIPART) == 0 || ++ if (ret < 0 || ++ (ctx->part->flags & MESSAGE_PART_FLAG_MULTIPART) == 0 || + ctx->last_boundary != NULL) + return; + +-- +2.1.4 +
  7. Download patch debian/rules

    --- 1:2.2.33.2-1/debian/rules 2017-10-13 13:27:39.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/rules 2017-08-16 14:50:29.000000000 +0000 @@ -64,8 +64,6 @@ sieve_files = usr/bin/sieve* \ solr_files = usr/lib/dovecot/modules/lib??_fts_solr_* -lucene_files = usr/lib/dovecot/modules/lib??_fts_lucene_* - dev_files = usr/include/* \ usr/lib/dovecot/dovecot-config \ usr/share/aclocal/*.m4 @@ -88,7 +86,7 @@ override_dh_auto_configure: --with-solr \ --with-ioloop=best \ --with-libwrap \ - --with-lucene \ + --without-lucene \ --with-lz4 \ --prefix=/usr \ --sysconfdir=/etc \ @@ -160,6 +158,9 @@ override_dh_install: install -m644 debian/dovecot-imapd.ufw.profile debian/dovecot-imapd/etc/ufw/applications.d/dovecot-imapd install -m644 debian/dovecot-pop3d.ufw.profile debian/dovecot-pop3d/etc/ufw/applications.d/dovecot-pop3d + mkdir -p $(CURDIR)/debian/mail-stack-delivery/etc/dovecot/conf.d/ + cp $(CURDIR)/debian/99-mail-stack-delivery.conf $(CURDIR)/debian/mail-stack-delivery/etc/dovecot/conf.d/ + override_dh_installpam: dh_installpam -pdovecot-core --name=dovecot
  8. Download patch debian/patches/CVE-2017-15130/0004-lib-master-Support-validating-config-filters-against.patch
  9. Download patch debian/patches/CVE-2017-14461/0005-lib-mail-Add-rfc822_parser_deinit.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-14461/0005-lib-mail-Add-rfc822_parser_deinit.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-14461/0005-lib-mail-Add-rfc822_parser_deinit.patch 2018-02-26 17:31:05.000000000 +0000 @@ -0,0 +1,33 @@ +From f5cd17a27f0b666567747f8c921ebe1026970f11 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@dovecot.fi> +Date: Fri, 22 Dec 2017 18:56:53 +0200 +Subject: [PATCH 5/7] lib-mail: Add rfc822_parser_deinit() + +It's not a strict requirement to call this, but it assert-crashes if the +state isn't valid. +--- + src/lib-mail/rfc822-parser.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib-mail/rfc822-parser.h b/src/lib-mail/rfc822-parser.h +index 87e9aa2..466a68a 100644 +--- a/src/lib-mail/rfc822-parser.h ++++ b/src/lib-mail/rfc822-parser.h +@@ -16,6 +16,14 @@ extern unsigned char rfc822_atext_chars[256]; + void rfc822_parser_init(struct rfc822_parser_context *ctx, + const unsigned char *data, size_t size, + string_t *last_comment) ATTR_NULL(4); ++static inline void rfc822_parser_deinit(struct rfc822_parser_context *ctx) ++{ ++ /* make sure the parsing didn't trigger a bug that caused reading ++ past the end pointer. */ ++ i_assert(ctx->data <= ctx->end); ++ /* make sure the parser is no longer accessed */ ++ ctx->data = ctx->end = NULL; ++} + + /* The functions below return 1 = more data available, 0 = no more data + available (but a value might have been returned now), -1 = invalid input. +-- +2.1.4 +
  10. Download patch debian/patches/CVE-2017-15130/0005-login-common-Enable-config-filtering-by-local-name.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15130/0005-login-common-Enable-config-filtering-by-local-name.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15130/0005-login-common-Enable-config-filtering-by-local-name.patch 2018-02-26 17:33:27.000000000 +0000 @@ -0,0 +1,29 @@ +From bc27538d084e01a7a1aca3330e27aebfc0e311eb Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@dovecot.fi> +Date: Thu, 30 Nov 2017 20:52:11 +0200 +Subject: [PATCH 5/6] login-common: Enable config filtering by local name + +Prevents servername misuse. +--- + src/login-common/login-settings.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: dovecot-2.2.33.2/src/login-common/login-settings.c +=================================================================== +--- dovecot-2.2.33.2.orig/src/login-common/login-settings.c 2018-02-26 12:33:24.563777040 -0500 ++++ dovecot-2.2.33.2/src/login-common/login-settings.c 2018-02-26 12:33:24.563777040 -0500 +@@ -183,6 +183,14 @@ login_settings_read(pool_t pool, + set_cache = master_service_settings_cache_init(master_service, + input.module, + input.service); ++ /* lookup filters ++ ++ this is only enabled if service_count > 1 because otherwise ++ login process will process only one request and this is only ++ useful when more than one request is processed. ++ */ ++ if (master_service_get_service_count(master_service) > 1) ++ master_service_settings_cache_init_filter(set_cache); + } + + if (master_service_settings_cache_read(set_cache, &input, NULL,
  11. Download patch debian/dovecot-core.maintscript

    --- 1:2.2.33.2-1/debian/dovecot-core.maintscript 2017-10-13 13:02:58.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/dovecot-core.maintscript 2017-08-16 14:50:29.000000000 +0000 @@ -1 +1,2 @@ rm_conffile /etc/dovecot/README 1:2.2.27-3~ +rm_conffile /etc/init/dovecot.conf 1:2.2.22-1ubuntu4
  12. Download patch debian/patches/CVE-2017-14461/0001-lib-mail-rfc822-parser-Add-asserts-to-make-sure-pars.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-14461/0001-lib-mail-rfc822-parser-Add-asserts-to-make-sure-pars.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-14461/0001-lib-mail-rfc822-parser-Add-asserts-to-make-sure-pars.patch 2018-02-26 17:30:38.000000000 +0000 @@ -0,0 +1,41 @@ +From 30dc856f7b97b75b0e0d69f5003d5d99a13249b4 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@dovecot.fi> +Date: Fri, 22 Dec 2017 18:31:52 +0200 +Subject: [PATCH 1/7] lib-mail: rfc822-parser - Add asserts to make sure parser + state is correct + +--- + src/lib-mail/rfc822-parser.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lib-mail/rfc822-parser.c b/src/lib-mail/rfc822-parser.c +index 6dd2254..edb07f5 100644 +--- a/src/lib-mail/rfc822-parser.c ++++ b/src/lib-mail/rfc822-parser.c +@@ -211,6 +211,7 @@ int rfc822_parse_quoted_string(struct rfc822_parser_context *ctx, string_t *str) + const unsigned char *start; + size_t len; + ++ i_assert(ctx->data < ctx->end); + i_assert(*ctx->data == '"'); + ctx->data++; + +@@ -313,6 +314,7 @@ rfc822_parse_domain_literal(struct rfc822_parser_context *ctx, string_t *str) + %d94-126 ; characters not including "[", + ; "]", or "\" + */ ++ i_assert(ctx->data < ctx->end); + i_assert(*ctx->data == '['); + + for (start = ctx->data; ctx->data != ctx->end; ctx->data++) { +@@ -338,6 +340,7 @@ int rfc822_parse_domain(struct rfc822_parser_context *ctx, string_t *str) + domain-literal = [CFWS] "[" *([FWS] dcontent) [FWS] "]" [CFWS] + obs-domain = atom *("." atom) + */ ++ i_assert(ctx->data < ctx->end); + i_assert(*ctx->data == '@'); + ctx->data++; + +-- +2.1.4 +
  13. Download patch debian/control

    --- 1:2.2.33.2-1/debian/control 2017-10-13 13:27:58.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/control 2017-08-16 14:50:29.000000000 +0000 @@ -1,7 +1,8 @@ Source: dovecot Section: mail Priority: optional -Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org> Uploaders: Jaldhar H. Vyas <jaldhar@debian.org>, Jelmer Vernooij <jelmer@debian.org>, Apollon Oikonomopoulos <apoikos@debian.org> @@ -11,7 +12,6 @@ Build-Depends: debhelper (>= 10), dpkg-dev (>= 1.16.1), krb5-multidev, libbz2-dev, - libclucene-dev (>= 2.3), libcurl4-gnutls-dev, libdb-dev, libexpat-dev, @@ -24,7 +24,6 @@ Build-Depends: debhelper (>= 10), libsasl2-dev, libsqlite3-dev, libssl-dev, - libstemmer-dev, libwrap0-dev, lsb-release, pkg-config, @@ -48,7 +47,6 @@ Suggests: dovecot-gssapi, dovecot-imapd, dovecot-ldap, dovecot-lmtpd, - dovecot-lucene, dovecot-managesieved, dovecot-mysql, dovecot-pgsql, @@ -58,8 +56,10 @@ Suggests: dovecot-gssapi, dovecot-sqlite, ntp Provides: dovecot-abi-${dovecot:ABI-Version}, dovecot-common -Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) -Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) +Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4), + dovecot-lucene (<<1:2.2.24~) +Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4), + dovecot-lucene (<<1:2.2.24~) Description: secure POP3/IMAP server - core files Dovecot is a mail server whose major goals are security and extreme reliability. It tries very hard to handle all error conditions and verify @@ -247,14 +247,18 @@ Description: secure POP3/IMAP server - S . This package provides Solr full text search support for Dovecot. -Package: dovecot-lucene -Architecture: any -Depends: dovecot-core (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} -Description: secure POP3/IMAP server - Lucene support - Dovecot is a mail server whose major goals are security and extreme - reliability. It tries very hard to handle all error conditions and verify - that all data is valid, making it nearly impossible to crash. It supports - mbox/Maildir and its own dbox/mdbox formats, and should also be pretty - fast, extensible, and portable. +Package: mail-stack-delivery +Architecture: all +Pre-Depends: dovecot-core (>= ${source:Version}) +Depends: dovecot-imapd, dovecot-pop3d, dovecot-managesieved, + postfix, ${misc:Depends} +Replaces: dovecot-postfix (<< 1:1.2.12-0ubuntu1~) +Description: mail server delivery agent stack provided by Ubuntu server team + Ubuntu's mail stack provides fully operational delivery with + safe defaults and additional options. Out of the box it supports IMAP, + POP3 and SMTP services with SASL authentication and Maildir as default + storage engine. + . + This package contains configuration files for dovecot. . - This package provides Lucene full text search support for Dovecot. + This package modifies postfix's configuration to integrate with dovecot
  14. Download patch debian/patches/CVE-2017-15130/0002-config-Add-config_filter_get_all.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15130/0002-config-Add-config_filter_get_all.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15130/0002-config-Add-config_filter_get_all.patch 2018-02-26 17:32:37.000000000 +0000 @@ -0,0 +1,54 @@ +From f3504763c27c2661716c0d1dbd3e0fc662107a21 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@dovecot.fi> +Date: Thu, 30 Nov 2017 15:46:40 +0200 +Subject: [PATCH 2/6] config: Add config_filter_get_all + +Returns all filters +--- + src/config/config-filter.c | 15 +++++++++++++++ + src/config/config-filter.h | 3 +++ + 2 files changed, 18 insertions(+) + +diff --git a/src/config/config-filter.c b/src/config/config-filter.c +index 78d65e8..2805e9d 100644 +--- a/src/config/config-filter.c ++++ b/src/config/config-filter.c +@@ -252,6 +252,21 @@ config_filter_find_all(struct config_filter_context *ctx, pool_t pool, + } + + struct config_filter_parser *const * ++config_filter_get_all(struct config_filter_context *ctx) ++{ ++ ARRAY_TYPE(config_filter_parsers) filters; ++ unsigned int i; ++ ++ t_array_init(&filters, 8); ++ for (i = 0; ctx->parsers[i] != NULL; i++) { ++ array_append(&filters, &ctx->parsers[i], 1); ++ } ++ array_sort(&filters, config_filter_parser_cmp_rev); ++ array_append_zero(&filters); ++ return array_idx(&filters, 0); ++} ++ ++struct config_filter_parser *const * + config_filter_find_subset(struct config_filter_context *ctx, + const struct config_filter *filter) + { +diff --git a/src/config/config-filter.h b/src/config/config-filter.h +index 7e45fc1..fda3182 100644 +--- a/src/config/config-filter.h ++++ b/src/config/config-filter.h +@@ -45,6 +45,9 @@ struct config_filter_parser *const * + config_filter_find_subset(struct config_filter_context *ctx, + const struct config_filter *filter); + ++struct config_filter_parser *const * ++config_filter_get_all(struct config_filter_context *ctx); ++ + /* Returns TRUE if filter matches mask. */ + bool config_filter_match(const struct config_filter *mask, + const struct config_filter *filter); +-- +2.1.4 +
  15. Download patch debian/mail-stack-delivery.dirs

    --- 1:2.2.33.2-1/debian/mail-stack-delivery.dirs 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/mail-stack-delivery.dirs 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,2 @@ +var/backups +var/backups/mail-stack-delivery
  16. Download patch debian/99-mail-stack-delivery.conf

    --- 1:2.2.33.2-1/debian/99-mail-stack-delivery.conf 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/99-mail-stack-delivery.conf 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,68 @@ +# Some general options +# Installed protocols are now auto-included by /etc/dovecot/dovecot.conf +# Since mail-stack-delivery depends on them it is more flexible to not +# explicitly list them here, but achieves the same. +# protocols = imap pop3 sieve + +disable_plaintext_auth = yes + +# Since 18.04 basic SSL enablement is set up by dovecot-core and configured +# in /etc/dovecot/conf.d/10-ssl.conf. +# So by default basic enablement is no more done here. The old section is kept +# as comment for reference to the old defaults. +# +# ssl = yes +# ssl_cert = </etc/dovecot/dovecot.pem +# ssl_key = </etc/dovecot/private/dovecot.pem +# +# If you keep a formerly used custom SSL enablement in this file it will (as +# before) continue to overwrite the new defaults in 10-ssl.conf as this file is +# sorted later being 99-*.conf +# +# If you choose to take the new defaults (no ssl config in this file) please +# make sure you have also chosen the package defaults for 10-ssl.conf (to enable +# it there) when dovecot-core configures. Also check that the links for cert/key +# set up there got created correctly (they would not be created if they conflict with your +# old keys done by mail-stack-delivery). +# +mail_location = maildir:~/Maildir +auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ + +# IMAP configuration +protocol imap { + mail_max_userip_connections = 10 + imap_client_workarounds = delay-newmail +} + +# POP3 configuration +protocol pop3 { + mail_max_userip_connections = 10 + pop3_client_workarounds = outlook-no-nuls oe-ns-eoh +} + +# LDA configuration +protocol lda { + postmaster_address = postmaster + mail_plugins = sieve + quota_full_tempfail = yes + deliver_log_format = msgid=%m: %$ + rejection_reason = Your message to <%t> was automatically rejected:%n%r +} + +# Plugins configuration +plugin { + sieve=~/.dovecot.sieve + sieve_dir=~/sieve +} + +# Authentication configuration +auth_mechanisms = plain login + +service auth { + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/dovecot-auth { + mode = 0660 + user = postfix + group = postfix + } +}
  17. Download patch debian/patches/CVE-2017-15132-additional.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15132-additional.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15132-additional.patch 2018-02-23 14:48:23.000000000 +0000 @@ -0,0 +1,57 @@ +From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@dovecot.fi> +Date: Fri, 26 Jan 2018 10:55:54 +0200 +Subject: [PATCH] lib-auth: Remove request after abort + +Otherwise the request will still stay in hash table +and get dereferenced when all requests are aborted +causing an attempt to access free'd memory. + +Found by Apollon Oikonomopoulos <apoikos@debian.org> + +Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 +--- + src/lib-auth/auth-client-request.c | 2 ++ + src/lib-auth/auth-server-connection.c | 7 +++++++ + src/lib-auth/auth-server-connection.h | 2 ++ + 3 files changed, 11 insertions(+) + +Index: dovecot-2.2.33.2/src/lib-auth/auth-client-request.c +=================================================================== +--- dovecot-2.2.33.2.orig/src/lib-auth/auth-client-request.c ++++ dovecot-2.2.33.2/src/lib-auth/auth-client-request.c +@@ -180,6 +180,8 @@ void auth_client_request_abort(struct au + + auth_client_send_cancel(request->conn->client, request->id); + call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); ++ /* remove the request */ ++ auth_server_connection_remove_request(request->conn, request->id); + pool_unref(&request->pool); + } + +Index: dovecot-2.2.33.2/src/lib-auth/auth-server-connection.c +=================================================================== +--- dovecot-2.2.33.2.orig/src/lib-auth/auth-server-connection.c ++++ dovecot-2.2.33.2/src/lib-auth/auth-server-connection.c +@@ -481,3 +481,10 @@ auth_server_connection_add_request(struc + hash_table_insert(conn->requests, POINTER_CAST(id), request); + return id; + } ++ ++void auth_server_connection_remove_request(struct auth_server_connection *conn, ++ unsigned int id) ++{ ++ i_assert(conn->handshake_received); ++ hash_table_remove(conn->requests, POINTER_CAST(id)); ++} +Index: dovecot-2.2.33.2/src/lib-auth/auth-server-connection.h +=================================================================== +--- dovecot-2.2.33.2.orig/src/lib-auth/auth-server-connection.h ++++ dovecot-2.2.33.2/src/lib-auth/auth-server-connection.h +@@ -38,4 +38,6 @@ void auth_server_connection_disconnect(s + unsigned int + auth_server_connection_add_request(struct auth_server_connection *conn, + struct auth_client_request *request); ++void auth_server_connection_remove_request(struct auth_server_connection *conn, ++ unsigned int id); + #endif
  18. Download patch debian/patches/CVE-2017-14461/0004-lib-mail-Make-sure-parsers-don-t-accidentally-go-muc.patch
  19. Download patch debian/patches/CVE-2017-14461/0003-lib-mail-Fix-out-of-bounds-read-when-parsing-an-inva.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-14461/0003-lib-mail-Fix-out-of-bounds-read-when-parsing-an-inva.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-14461/0003-lib-mail-Fix-out-of-bounds-read-when-parsing-an-inva.patch 2018-02-26 17:30:50.000000000 +0000 @@ -0,0 +1,55 @@ +From b72d864b8c34cb21076214c0b28101baec530141 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@dovecot.fi> +Date: Fri, 22 Dec 2017 18:36:55 +0200 +Subject: [PATCH 3/7] lib-mail: Fix out-of-bounds read when parsing an invalid + email address + +The included unit test doesn't fail, but running it with valgrind shows +"Invalid read of size 1" error. + +Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c + +Discovered by Aleksandar Nikolic of Cisco Talos +--- + src/lib-mail/message-address.c | 3 ++- + src/lib-mail/test-message-address.c | 10 ++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c +index beb81ee..787a26e 100644 +--- a/src/lib-mail/message-address.c ++++ b/src/lib-mail/message-address.c +@@ -221,7 +221,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx) + /* end of input or parsing local-part failed */ + ctx->addr.invalid_syntax = TRUE; + } +- if (ret != 0 && *ctx->parser.data == '@') { ++ if (ret != 0 && ctx->parser.data != ctx->parser.end && ++ *ctx->parser.data == '@') { + ret2 = parse_domain(ctx); + if (ret2 <= 0) + ret = ret2; +diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c +index f6a8766..c963aa6 100644 +--- a/src/lib-mail/test-message-address.c ++++ b/src/lib-mail/test-message-address.c +@@ -198,6 +198,16 @@ static void test_message_address(void) + { "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>", + { NULL, NULL, NULL, "", "", TRUE }, + { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 }, ++ ++ /* Test against a out-of-bounds read bug - keep these two tests ++ together in this same order: */ ++ { "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>", ++ { NULL, NULL, NULL, "aaaa", "", TRUE }, ++ { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 }, ++ { "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>", ++ { NULL, NULL, NULL, "", "", TRUE }, ++ { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, ++ TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST }, + }; + static struct message_address group_prefix = { + NULL, NULL, NULL, "group", NULL, FALSE +-- +2.1.4 +
  20. Download patch debian/patches/CVE-2017-14461/0002-lib-mail-test-message-address-Add-TEST_MESSAGE_ADDRE.patch
  21. Download patch debian/mail-stack-delivery.preinst

    --- 1:2.2.33.2-1/debian/mail-stack-delivery.preinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/mail-stack-delivery.preinst 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,73 @@ +#!/bin/sh + +set -e + +# Prepare to move a conffile without triggering a dpkg question +prep_mv_conffile() { + PKGNAME="$1" + CONFFILE="$2" + if [ -e "$CONFFILE" ]; then + md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" + old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $CONFFILE'{s/ obsolete$//;s/.* //p}\"`" + if [ "$md5sum" = "$old_md5sum" ]; then + rm -f "$CONFFILE" + else + if [ -e "$CONFFILE" ]; then + if [ "$CONFFILE" = "/etc/dovecot/conf.d/01-dovecot-postfix.conf" ]; then + mv -f "$CONFFILE" "/etc/dovecot/conf.d/01-mail-stack-delivery.conf" + fi + if [ "$CONFFILE" = "/etc/dovecot/auth.d/01-dovecot-postfix.auth" ]; then + mv -f "$CONFFILE" "/etc/dovecot/auth.d/01-mail-stack-delivery.auth" + fi + fi + fi + fi +} +case "$1" in +install|upgrade) + # Check if mail-stack-delivery.conf had any customizations + if [ -f "/usr/share/dovecot/mail-stack-delivery.conf" ]; then + if [ -f "/etc/dovecot/mail-stack-delivery.conf" ]; then + mv /etc/dovecot/mail-stack-delivery.conf /etc/dovecot/mail-stack-delivery.conf.bak + DIR=`mktemp -d` + egrep -v ^protocol /etc/dovecot/mail-stack-delivery.conf.bak > $DIR/mail-stack-delivery-custom.conf + egrep -v ^protocol /usr/share/dovecot/mail-stack-delivery.conf > $DIR/mail-stack-delivery.conf + if diff -qur $DIR/mail-stack-delivery-dist.conf $DIR/mail-stack-delivery-custom.conf 1>/dev/null 2>&1; then + rm -f /etc/dovecot/mail-stack-delivery.conf.bak + else + awk ' /^auth default/ {flag=1;next} /^}/{flag=0} flag { print }' /etc/dovecot/mail-stack-delivery.conf.bak > /etc/dovecot/auth.d/01-mail-stack-delivery.auth + awk ' /^## Dovecot conf/{flag=1} /^auth default/{flag=0} flag { print }' /etc/dovecot/mail-stack-delivery.conf.bak > /etc/dovecot/conf.d/01-mail-stack-delivery.conf + awk ' /^# If you wish to use another authentication server than dovecot-auth/{flag=1} flag { print }' /etc/dovecot/mail-stack-delivery.conf.bak >> /etc/dovecot/conf.d/01-mail-stack-delivery.conf + fi + rm -rf $DIR + fi + fi + + # If we had the default 99-mail-stack-delivery.conf save it as it is + # potentially needed in postinst for a special case of the ssl transition + # from mail-stack-delivery to dovecot-core + if [ "$1" = "upgrade" ]; then + msdconf="/etc/dovecot/conf.d/99-mail-stack-delivery.conf" + oldsumdpkg=$(dpkg-query -W -f='${Conffiles}' mail-stack-delivery | \ + sed -n -e "\' $msdconf ' { s/ obsolete$//; s/.* //; p }") + oldsumfile=$(md5sum "$msdconf" | cut -d' ' -f 1) + if [ "$oldsumdpkg" = "$oldsumfile" ]; then + # the existance of the unmodified file is the marker for postinst + # to retain it if 10-ssl.conf is not on the new default + cp -f "$msdconf" "$msdconf.olddefault" + fi + fi + ;; + + abort-upgrade) + # remove unconditionally on abort + rm -f /etc/dovecot/conf.d/99-mail-stack-delivery.conf.olddefault + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER#
  22. Download patch debian/tests/testlib.py

    --- 1:2.2.33.2-1/debian/tests/testlib.py 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/tests/testlib.py 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,89 @@ +'''Common classes and functions for package tests.''' + +import string, random, crypt, subprocess, pwd, signal, time + +class TimedOutException(Exception): + def __init__(self, value = "Timed Out"): + self.value = value + def __str__(self): + return repr(self.value) + +def timeout(secs, f, *args): + def handler(signum, frame): + raise TimedOutException() + + old = signal.signal(signal.SIGALRM, handler) + result = None + signal.alarm(secs) + try: + result = f(*args) + finally: + signal.alarm(0) + signal.signal(signal.SIGALRM, old) + + return result + +def random_string(length): + '''Return a random string, consisting of ASCII letters, with given + length.''' + + s = '' + maxind = len(string.ascii_letters)-1 + for l in range(length): + s += string.ascii_letters[random.randint(0, maxind)] + return s.lower() + +def login_exists(login): + '''Checks whether the given login exists on the system.''' + + try: + pwd.getpwnam(login) + return True + except KeyError: + return False + +class TestUser: + '''Create a temporary test user and remove it again on close.''' + + def __init__(self, login=None, home=True): + '''Create a new user account with a random password. + + By default, the login name is random, too, but can be explicitly + specified with 'login'. By default, a home directory is created, this + can be suppressed with 'home=False'.''' + + self.login = None + + if login: + if login_exists(login): + raise ValueError('login name already exists') + else: + while(True): + login = random_string(8) + if not login_exists(login): + break + + self.salt = random_string(2) + self.password = random_string(8) + self.crypted = crypt.crypt(self.password, self.salt) + + if home: + subprocess.check_call(['useradd', '-p', self.crypted, '-m', login]) + else: + subprocess.check_call(['useradd', '-p', self.crypted, login]) + + self.login = login + p = pwd.getpwnam(self.login) + self.uid = p[2] + self.gid = p[3] + + def __del__(self): + '''Remove the created user account.''' + + if self.login: + self.close() + + def close(self): + '''Remove the created user account.''' + subprocess.check_call(['userdel', '-r', self.login]) + self.login = None
  23. Download patch debian/patches/series

    --- 1:2.2.33.2-1/debian/patches/series 2017-10-13 13:02:58.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/series 2018-02-26 17:34:13.000000000 +0000 @@ -10,3 +10,18 @@ dovecot_name.patch libnss_location.patch systemd-service-fixes.patch handle-sslv23-gracefully.patch +CVE-2017-15132.patch +CVE-2017-15132-additional.patch +CVE-2017-14461/0001-lib-mail-rfc822-parser-Add-asserts-to-make-sure-pars.patch +CVE-2017-14461/0002-lib-mail-test-message-address-Add-TEST_MESSAGE_ADDRE.patch +CVE-2017-14461/0003-lib-mail-Fix-out-of-bounds-read-when-parsing-an-inva.patch +CVE-2017-14461/0004-lib-mail-Make-sure-parsers-don-t-accidentally-go-muc.patch +CVE-2017-14461/0005-lib-mail-Add-rfc822_parser_deinit.patch +CVE-2017-14461/0006-lib-mail-Refactor-code-to-make-the-next-commit-small.patch +CVE-2017-14461/0007-global-Call-rfc822_parser_deinit-wherever-possible.patch +CVE-2017-15130/0001-lib-dns-Move-before-lib-master.patch +CVE-2017-15130/0002-config-Add-config_filter_get_all.patch +CVE-2017-15130/0003-config-Add-command-to-request-all-filters.patch +CVE-2017-15130/0004-lib-master-Support-validating-config-filters-against.patch +CVE-2017-15130/0005-login-common-Enable-config-filtering-by-local-name.patch +CVE-2017-15130/0006-lib-master-Fix-dns_match_wildcard-result-value-check.patch
  24. Download patch debian/patches/CVE-2017-15130/0001-lib-dns-Move-before-lib-master.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15130/0001-lib-dns-Move-before-lib-master.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15130/0001-lib-dns-Move-before-lib-master.patch 2018-02-26 17:32:31.000000000 +0000 @@ -0,0 +1,29 @@ +From 22311315b9f780211329c1522eb5aaa4faaa9391 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@dovecot.fi> +Date: Mon, 19 Feb 2018 14:19:08 +0200 +Subject: [PATCH 1/6] lib-dns: Move before lib-master + +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index e1e40e1..c1f87ee 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -7,11 +7,11 @@ LIBDOVECOT_SUBDIRS = \ + lib \ + lib-settings \ + lib-auth \ ++ lib-dns \ + lib-master \ + lib-charset \ + lib-ssl-iostream \ + lib-dcrypt \ +- lib-dns \ + lib-dict \ + lib-sasl \ + lib-stats \ +-- +2.1.4 +
  25. Download patch debian/patches/CVE-2017-15132.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15132.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15132.patch 2018-02-23 14:48:23.000000000 +0000 @@ -0,0 +1,28 @@ +From 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@dovecot.fi> +Date: Mon, 18 Dec 2017 16:50:51 +0200 +Subject: [PATCH] lib-auth: Fix memory leak in auth_client_request_abort() + +This caused memory leaks when authentication was aborted. For example +with IMAP: + +a AUTHENTICATE PLAIN +* + +Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021 +--- + src/lib-auth/auth-client-request.c | 1 + + 1 file changed, 1 insertion(+) + +Index: dovecot-2.2.33.2/src/lib-auth/auth-client-request.c +=================================================================== +--- dovecot-2.2.33.2.orig/src/lib-auth/auth-client-request.c ++++ dovecot-2.2.33.2/src/lib-auth/auth-client-request.c +@@ -180,6 +180,7 @@ void auth_client_request_abort(struct au + + auth_client_send_cancel(request->conn->client, request->id); + call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); ++ pool_unref(&request->pool); + } + + unsigned int auth_client_request_get_id(struct auth_client_request *request)
  26. Download patch debian/patches/CVE-2017-14461/0007-global-Call-rfc822_parser_deinit-wherever-possible.patch
  27. Download patch debian/patches/CVE-2017-15130/0006-lib-master-Fix-dns_match_wildcard-result-value-check.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15130/0006-lib-master-Fix-dns_match_wildcard-result-value-check.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15130/0006-lib-master-Fix-dns_match_wildcard-result-value-check.patch 2018-02-26 17:33:31.000000000 +0000 @@ -0,0 +1,20 @@ +From 00016646cc32a3fa1cf54c22ed7388ed06bbc0f1 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@dovecot.fi> +Date: Mon, 26 Feb 2018 12:53:19 +0200 +Subject: [PATCH 6/6] lib-master: Fix dns_match_wildcard result value check + +It returns 0, not TRUE. + +diff --git a/src/lib-master/master-service-settings-cache.c b/src/lib-master/master-service-settings-cache.c +index 11e9204..471c6a1 100644 +--- a/src/lib-master/master-service-settings-cache.c ++++ b/src/lib-master/master-service-settings-cache.c +@@ -138,7 +138,7 @@ master_service_settings_cache_fix_input(struct master_service_settings_cache *ca + filter->remote_bits)) + found_rip = TRUE; + if (input->local_name != NULL && filter->local_name != NULL && +- dns_match_wildcard(input->local_name, filter->local_name)) ++ dns_match_wildcard(input->local_name, filter->local_name) == 0) + found_local_name = TRUE; + filter = filter->next; + };
  28. Download patch debian/mail-stack-delivery.postrm

    --- 1:2.2.33.2-1/debian/mail-stack-delivery.postrm 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/mail-stack-delivery.postrm 2017-08-16 14:50:29.000000000 +0000 @@ -0,0 +1,35 @@ +#!/bin/sh +set -e + +POSTFIX_BCKFILE="/var/backups/mail-stack-delivery/main.cf-backup" + +PATH=/usr/sbin:$PATH +export PATH + +if [ "$1" = "remove" -o "$1" = "purge" ]; then + # Restore postfix configuration + if [ "$1" = "remove" ]; then + if which postconf >/dev/null && [ -f "${POSTFIX_BCKFILE}" ]; then + while read line; do + postconf -e "$line" + done < "${POSTFIX_BCKFILE}" + rm -f "${POSTFIX_BCKFILE}" + fi + fi + if [ -x "/etc/init.d/dovecot" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d dovecot restart + else + service dovecot restart + fi + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix restart + else + service postfix restart + fi + fi +fi + +#DEBHELPER#
  29. Download patch debian/patches/CVE-2017-15130/0003-config-Add-command-to-request-all-filters.patch

    --- 1:2.2.33.2-1/debian/patches/CVE-2017-15130/0003-config-Add-command-to-request-all-filters.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.33.2-1ubuntu4/debian/patches/CVE-2017-15130/0003-config-Add-command-to-request-all-filters.patch 2018-02-26 17:32:42.000000000 +0000 @@ -0,0 +1,64 @@ +From 02da33a59fddd51cc3b8d95989de95574b7332f1 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@dovecot.fi> +Date: Thu, 30 Nov 2017 15:46:52 +0200 +Subject: [PATCH 3/6] config: Add command to request all filters + +--- + src/config/config-connection.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/src/config/config-connection.c b/src/config/config-connection.c +index e617229..2885e05 100644 +--- a/src/config/config-connection.c ++++ b/src/config/config-connection.c +@@ -150,6 +150,36 @@ static int config_connection_request(struct config_connection *conn, + return 0; + } + ++static int config_filters_request(struct config_connection *conn) ++{ ++ struct config_filter_parser *const *filters = config_filter_get_all(config_filter); ++ o_stream_cork(conn->output); ++ while(*filters != NULL) { ++ const struct config_filter *filter = &(*filters)->filter; ++ o_stream_nsend_str(conn->output, "FILTER"); ++ if (filter->service != NULL) ++ o_stream_nsend_str(conn->output, t_strdup_printf("\tservice=%s", ++ filter->service)); ++ if (filter->local_name != NULL) ++ o_stream_nsend_str(conn->output, t_strdup_printf("\tlocal-name=%s", ++ filter->local_name)); ++ if (filter->local_bits > 0) ++ o_stream_nsend_str(conn->output, t_strdup_printf("\tlocal-net=%s/%u", ++ net_ip2addr(&filter->local_net), ++ filter->local_bits)); ++ if (filter->remote_bits > 0) ++ o_stream_nsend_str(conn->output, t_strdup_printf("\tremote-net=%s/%u", ++ net_ip2addr(&filter->remote_net), ++ filter->remote_bits)); ++ o_stream_nsend_str(conn->output, "\n"); ++ filters++; ++ } ++ o_stream_nsend_str(conn->output, "\n"); ++ o_stream_uncork(conn->output); ++ return 0; ++} ++ ++ + static void config_connection_input(struct config_connection *conn) + { + const char *const *args, *line; +@@ -186,6 +216,10 @@ static void config_connection_input(struct config_connection *conn) + if (config_connection_request(conn, args + 1) < 0) + break; + } ++ if (strcmp(args[0], "FILTERS") == 0) { ++ if (config_filters_request(conn) < 0) ++ break; ++ } + } + } + +-- +2.1.4 +
  1. dovecot