From 9b1e025997bbd6397c80ff3b770045e4516ab3e8 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 29 Aug 2019 11:03:44 +0200 Subject: [PATCH 1/9] dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes --- dovecot.spec | 15 ++++++++++++--- sources | 4 ++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index f32232d..eba9723 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.6 +Version: 2.3.7.2 %global prever %{nil} -Release: 4%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.6 +%global pigeonholever 0.5.7.2 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,15 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 +- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 +- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte + when scanning data in quoted strings, leading to out of bounds heap + memory writes + +* Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 +- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 + * Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sources b/sources index f5c7b43..9a8ce1a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 -SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 +SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d +SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 From 436b86d7eb8368feb969029294fe87731754c500 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 10 Oct 2019 14:32:34 +0200 Subject: [PATCH 2/9] dovecot updated to 2.3.8, pigeonhole 0.5.8 --- dovecot.spec | 10 ++++++++-- sources | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index eba9723..bb7322b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.2 +Version: 2.3.8 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.2 +%global pigeonholever 0.5.8 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -50,7 +50,10 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: lz4-devel BuildRequires: libsodium-devel +BuildRequires: libexttextcat-devel +BuildRequires: libstemmer-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -493,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 +- dovecot updated to 2.3.8, pigeonhole 0.5.8 + * Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 - dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 - fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte diff --git a/sources b/sources index 9a8ce1a..05fd840 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d -SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 +SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 +SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d From 20ffe20e201f3c0ef9de675029d78c0559964534 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 19 Dec 2019 23:09:57 +0100 Subject: [PATCH 3/9] CVE-2019-19722: Mails with group addresses in From or To fields caused crash in push notification drivers. --- dovecot.spec | 11 +++++++++-- sources | 4 ++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index bb7322b..5d6c3c3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.8 +Version: 2.3.9.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.8 +%global pigeonholever 0.5.9 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -496,6 +496,13 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 +- CVE-2019-19722: Mails with group addresses in From or To fields + caused crash in push notification drivers. + +* Wed Dec 04 2019 Michal Hlavinka - 1:2.3.9-1 +- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 + * Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 - dovecot updated to 2.3.8, pigeonhole 0.5.8 diff --git a/sources b/sources index 05fd840..c3d0413 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 -SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d +SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253 +SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From c00c8c80c55a262c7f0b41743021ea0552a2bd1d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 12 Feb 2020 16:36:54 +0100 Subject: [PATCH 4/9] dovecot updated to 2.3.9.3 fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and lmtp processes. fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. --- dovecot.spec | 20 +++++++++++++++++--- sources | 2 +- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 5d6c3c3..b85d60f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9.2 +Version: 2.3.9.3 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -304,7 +304,7 @@ fi install -d -m 0755 -g dovecot -d /run/dovecot install -d -m 0755 -d /run/dovecot/empty install -d -m 0750 -g dovenull -d /run/dovecot/login -install -d -m 0755 -g dovenull -d /run/dovecot/token-login +install -d -m 0750 -g dovenull -d /run/dovecot/token-login [ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun @@ -439,7 +439,11 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /run/dovecot +%attr(0755,root,dovecot) %ghost /run/dovecot +%attr(0750,root,dovenull) %ghost /run/dovecot/login +%attr(0750,root,dovenull) %ghost /run/dovecot/token-login +%attr(0755,root,root) %ghost /run/dovecot/empty + %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} @@ -496,6 +500,16 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 +- dovecot updated to 2.3.9.3 +- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS + submission-login and lmtp processes. +- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. + + +* Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 - CVE-2019-19722: Mails with group addresses in From or To fields caused crash in push notification drivers. diff --git a/sources b/sources index c3d0413..27cc3f5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253 +SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41 SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From 284ffb185edd1c42fe092f5866a18724cd8d2da5 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 21 Apr 2020 20:07:14 +0200 Subject: [PATCH 5/9] dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 --- dovecot.spec | 10 +++++++--- sources | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b85d60f..b91f5f8 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9.3 +Version: 2.3.10 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.9 +%global pigeonholever 0.5.10 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -357,6 +357,7 @@ make check %{_bindir}/doveadm %{_bindir}/doveconf %{_bindir}/dsync +%{_bindir}/dovecot-sysreport %if %{?fedora}0 > 140 || %{?rhel}0 > 60 @@ -439,7 +440,7 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%attr(0755,root,dovecot) %ghost /run/dovecot +%dir %attr(0755,root,dovecot) %ghost /run/dovecot %attr(0750,root,dovenull) %ghost /run/dovecot/login %attr(0750,root,dovenull) %ghost /run/dovecot/token-login %attr(0755,root,root) %ghost /run/dovecot/empty @@ -500,6 +501,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 +- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 + * Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 - dovecot updated to 2.3.9.3 - fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS diff --git a/sources b/sources index 27cc3f5..29b0faa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41 -SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 +SHA512 (dovecot-2.3.10.tar.gz) = 73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 +SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b From 50f44b928ddcdf0cb6e0e4d4067ce2bf975fc1f3 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 19 May 2020 11:49:58 +0200 Subject: [PATCH 6/9] dovecot updated to 2.3.10.1 fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 --- dovecot.spec | 6 +++++- sources | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b91f5f8..d32cc87 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.10 +Version: 2.3.10.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -501,6 +501,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 +- dovecot updated to 2.3.10.1 +- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 + * Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 - dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 diff --git a/sources b/sources index 29b0faa..649f5e0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.10.tar.gz) = 73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 +SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b From 6f79cd11771257b2ecb85e0f097965e02a2c4f58 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Sat, 15 Aug 2020 19:53:57 +0200 Subject: [PATCH 7/9] CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. --- dovecot.spec | 93 +++++++++++++--------------------------------------- sources | 4 +-- 2 files changed, 24 insertions(+), 73 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index d32cc87..1f50dc1 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.10.1 +Version: 2.3.11.3 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.10 +%global pigeonholever 0.5.11 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -39,13 +39,8 @@ BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel BuildRequires: libpq-devel -%if %{?fedora}0 < 280 -BuildRequires: mysql-devel -BuildRequires: tcp_wrappers-devel -%else BuildRequires: mariadb-connector-c-devel BuildRequires: libxcrypt-devel -%endif BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel @@ -64,31 +59,16 @@ Requires: openssl >= 0.9.7f-4 # Package includes an initscript service file, needs to require initscripts package Requires(pre): shadow-utils -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%else -Requires: initscripts -Requires(post): chkconfig -Requires(preun): chkconfig initscripts -Requires(postun): initscripts -%endif -%if %{?fedora}0 > 150 || %{?rhel}0 >60 -#clucene in fedora <=15 and rhel<=6 is too old BuildRequires: clucene-core-devel -%endif %global ssldir %{_sysconfdir}/pki/%{name} -%if %{?fedora}00%{?rhel} < 6 -%global _initddir %{_initrddir} -BuildRequires: curl-devel expat-devel -%else BuildRequires: libcurl-devel expat-devel -%endif %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install @@ -144,11 +124,8 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src %global _hardened_build 1 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" -# el6 autoconf too old to regen; use packaged files (#1082384) -%if %{?fedora}00%{?rhel} > 6 mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support -%endif %configure \ INSTALL_DATA="install -c -p -m644" \ --docdir=%{_docdir}/%{name} \ @@ -165,18 +142,11 @@ autoreconf -I . -fiv #required for aarch64 support --with-sqlite \ --with-zlib \ --with-libcap \ -%if %{?fedora}0 < 280 - --with-libwrap \ -%endif -%if %{?fedora}0 > 150 || %{?rhel}0 >60 --with-lucene \ -%endif --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 --with-systemdsystemunitdir=%{_unitdir} \ -%endif --with-docs sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf @@ -216,11 +186,6 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonh install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole popd - -%if %{?fedora}00%{?rhel} < 6 -sed -i 's|password-auth|system-auth|' %{SOURCE2} -%endif - install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot #install man pages @@ -237,12 +202,7 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf -%else -install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot -install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot -%endif mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} @@ -282,23 +242,14 @@ useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's un # do not let dovecot run during upgrade rhbz#134325 if [ "$1" = "2" ]; then rm -f %restart_flag -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: /bin/systemctl stop %{name}.service >/dev/null 2>&1 -%else - /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||: - /sbin/service %{name} stop >/dev/null 2>&1 -%endif fi %post if [ $1 -eq 1 ] then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %systemd_post dovecot.service -%else - /sbin/chkconfig --add %{name} -%endif fi install -d -m 0755 -g dovecot -d /run/dovecot @@ -309,27 +260,16 @@ install -d -m 0750 -g dovenull -d /run/dovecot/token-login %preun if [ $1 = 0 ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : -%else - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -%endif rm -rf /run/dovecot fi %postun -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl daemon-reload >/dev/null 2>&1 || : -%endif if [ "$1" -ge "1" -a -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif rm -f %restart_flag fi @@ -337,11 +277,7 @@ fi # dovecot should be started again in %%postun, but it's not executed on reinstall # if it was already started, restart_flag won't be here, so it's ok to test it again if [ -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif rm -f %restart_flag fi @@ -360,15 +296,10 @@ make check %{_bindir}/dovecot-sysreport -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %_tmpfilesdir/dovecot.conf %{_unitdir}/dovecot.service %{_unitdir}/dovecot-init.service %{_unitdir}/dovecot.socket -%else -%{_initddir}/dovecot -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot -%endif %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d @@ -501,6 +432,26 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Sat Aug 15 2020 Michal Hlavinka - 1:2.3.11.3-1 +- CVE-2020-12100: Parsing mails with a large number of MIME parts could + have resulted in excessive CPU usage or a crash due to running out of + stack memory. +- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check + message buffer size, which leads to reading past allocation which can + lead to crash. +- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an + address that has the empty quoted string as local-part causes the lmtp + service to crash. +- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts + zero-length message, which leads to assert-crash later on. + +* Sat Aug 01 2020 Fedora Release Engineering - 1:2.3.10.1-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 1:2.3.10.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 - dovecot updated to 2.3.10.1 - fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 diff --git a/sources b/sources index 649f5e0..a256f67 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 -SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b +SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb +SHA512 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d From a9675fbe1f42d4a4195402d0de8fa77c52bbe4bf Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 26 Aug 2020 19:29:55 +0200 Subject: [PATCH 8/9] fix FTBFS on 32bit systems --- dovecot-2.3.11.3-ftbfs1.patch | 15 +++++++++++++++ dovecot-2.3.11.3-ftbfs2.patch | 22 ++++++++++++++++++++++ dovecot.spec | 15 ++++++++++++++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.11.3-ftbfs1.patch create mode 100644 dovecot-2.3.11.3-ftbfs2.patch diff --git a/dovecot-2.3.11.3-ftbfs1.patch b/dovecot-2.3.11.3-ftbfs1.patch new file mode 100644 index 0000000..42059ad --- /dev/null +++ b/dovecot-2.3.11.3-ftbfs1.patch @@ -0,0 +1,15 @@ +diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c +index cf05370035..0a030a2be0 100644 +--- a/src/auth/test-mech.c ++++ b/src/auth/test-mech.c +@@ -196,8 +196,8 @@ test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_ + { + string_t *apop_challenge = t_str_new(128); + +- str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(), +- connect_uid, process_start_time+10); ++ str_printfa(apop_challenge,"<%lx.%lx.%"PRIxTIME_T".", (unsigned long)getpid(), ++ (unsigned long)connect_uid, process_start_time+10); + str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26); + *len_r = apop_challenge->used; + return apop_challenge->data; diff --git a/dovecot-2.3.11.3-ftbfs2.patch b/dovecot-2.3.11.3-ftbfs2.patch new file mode 100644 index 0000000..107a4cd --- /dev/null +++ b/dovecot-2.3.11.3-ftbfs2.patch @@ -0,0 +1,22 @@ +diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c +index 0a030a2be0..0a22ff46d0 100644 +--- a/src/auth/test-mech.c ++++ b/src/auth/test-mech.c +@@ -192,7 +192,7 @@ static void test_mech_handle_challenge(struct auth_request *request, + } + + static inline const unsigned char * +-test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r) ++test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r) + { + string_t *apop_challenge = t_str_new(128); + +@@ -323,7 +323,7 @@ static void test_mechs(void) + struct test_case *test_case = &tests[running_test]; + const struct mech_module *mech = test_case->mech; + struct auth_request *request; +- const char *testname = t_strdup_printf("auth mech %s %d/%lu", ++ const char *testname = t_strdup_printf("auth mech %s %d/%zu", + mech->mech_name, + running_test+1, + N_ELEMENTS(tests)); diff --git a/dovecot.spec b/dovecot.spec index 1f50dc1..f1b4471 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.11.3 %global prever %{nil} -Release: 1%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -32,6 +32,8 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +Patch12: dovecot-2.3.11.3-ftbfs1.patch +Patch13: dovecot-2.3.11.3-ftbfs2.patch Source15: prestartscript @@ -114,12 +116,17 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt +%patch12 -p1 -b .ftbfs1 +%patch13 -p1 -b .ftbfs2 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in %build +# This package references hidden symbols during an LTO link. This needs further +# investigation. Until then, disable LTO +%define _lto_cflags %{nil} #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" @@ -432,6 +439,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Aug 26 2020 Michal Hlavinka - 1:2.3.11.3-4 +- fix FTBFS on 32bit systems + +* Mon Aug 17 2020 Jeff Law - 1:2.3.11.3-2 +- Disable LTO + * Sat Aug 15 2020 Michal Hlavinka - 1:2.3.11.3-1 - CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of From 169630bee3ac2af635849aa240bbaaad081f996e Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 2 Sep 2020 12:26:46 +0200 Subject: [PATCH 9/9] fix gssapi issue --- dovecot-2.3.11.3-gssapi.patch | 13 +++++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.11.3-gssapi.patch diff --git a/dovecot-2.3.11.3-gssapi.patch b/dovecot-2.3.11.3-gssapi.patch new file mode 100644 index 0000000..18f6c45 --- /dev/null +++ b/dovecot-2.3.11.3-gssapi.patch @@ -0,0 +1,13 @@ +diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c +index f29e48da88..966273d388 100644 +--- a/src/auth/mech-gssapi.c ++++ b/src/auth/mech-gssapi.c +@@ -735,7 +735,7 @@ mech_gssapi_auth_free(struct auth_request *request) + const struct mech_module mech_gssapi = { + "GSSAPI", + +- .flags = 0, ++ .flags = MECH_SEC_ALLOW_NULS, + .passdb_need = MECH_PASSDB_NEED_NOTHING, + + mech_gssapi_auth_new, diff --git a/dovecot.spec b/dovecot.spec index f1b4471..5077164 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.11.3 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -34,6 +34,7 @@ Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch12: dovecot-2.3.11.3-ftbfs1.patch Patch13: dovecot-2.3.11.3-ftbfs2.patch +Patch14: dovecot-2.3.11.3-gssapi.patch Source15: prestartscript @@ -118,6 +119,7 @@ This package provides the development files for dovecot. #%patch10 -p1 -b .libxcrypt %patch12 -p1 -b .ftbfs1 %patch13 -p1 -b .ftbfs2 +%patch14 -p1 -b .gssapi #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -439,6 +441,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Sep 02 2020 Michal Hlavinka - 1:2.3.11.3-5 +- fix gssapi issue + * Wed Aug 26 2020 Michal Hlavinka - 1:2.3.11.3-4 - fix FTBFS on 32bit systems