Bug#1016458: bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1016458: bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1
From: Noah Meyerhans <noahm@debian.org>
Date: Sun, 31 Jul 2022 18:06:29 -0700
Message-id: <[🔎] YucnFYSEmuPF67em@doom.morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 1016458@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Dovecot 2.3.13+dfsg1-2+deb11u1 contains a backported fix for #1016351
(CVE-2022-30550).  The fix is cherry-picked from upstream and is identical
to the fix recently uploaded to unstable in dovecot_2.3.19.1+dfsg1-2.  The
stable security team and the package maintainers have determined that this
issue does not warrant a DSA and should be fixed in the next bullseye
point release.

Debdiff is attached.  Note that it contains one additional minor change to
switch the salsa gitlab ci configuration to use bullseye runners.

noah

diff -Nru dovecot-2.3.13+dfsg1/debian/changelog dovecot-2.3.13+dfsg1/debian/changelog
--- dovecot-2.3.13+dfsg1/debian/changelog	2021-07-20 08:05:19.000000000 -0700
+++ dovecot-2.3.13+dfsg1/debian/changelog	2022-07-31 17:47:06.000000000 -0700
@@ -1,3 +1,10 @@
+dovecot (1:2.3.13+dfsg1-2+deb11u1) bullseye; urgency=medium
+
+  * [4b5dac8] d/patches: cherry-pick fix for CVE-2022-30550 (Closes: #1016351)
+  * [597ba7f] salsa-ci: build with bullseye
+
+ -- Noah Meyerhans <noahm@debian.org>  Sun, 31 Jul 2022 17:47:06 -0700
+
 dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high
 
   * Import upstream fixes for security issues (Closes: #990566):
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
--- dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch	1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch	2022-07-31 17:47:06.000000000 -0700
@@ -0,0 +1,22 @@
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 16 May 2022 14:58:45 +0200
+Subject: auth: Add a comment about updating userdb_find()
+
+---
+ src/auth/userdb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: dovecot/src/auth/userdb.c
+===================================================================
+--- dovecot.orig/src/auth/userdb.c
++++ dovecot/src/auth/userdb.c
+@@ -162,7 +162,8 @@ userdb_preinit(pool_t pool, const struct
+ 	userdb->id = ++auth_userdb_id;
+ 	userdb->iface = iface;
+ 	userdb->args = p_strdup(pool, set->args);
+-
++	/* NOTE: if anything else than driver & args are added here,
++	   userdb_find() also needs to be updated. */
+ 	array_push_back(&userdb_modules, &userdb);
+ 	return userdb;
+ }
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
--- dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch	1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch	2022-07-31 17:47:06.000000000 -0700
@@ -0,0 +1,130 @@
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: auth: Fix handling passdbs with identical driver/args but different
+ mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c |  6 +++---
+ src/auth/auth.c         | 18 ++++++++++++++++++
+ src/auth/auth.h         |  5 +++++
+ src/auth/passdb.c       | 15 ++-------------
+ src/auth/passdb.h       |  4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+Index: dovecot/src/auth/auth-request.c
+===================================================================
+--- dovecot.orig/src/auth/auth-request.c
++++ dovecot/src/auth/auth-request.c
+@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct aut
+ 			      struct auth_passdb *passdb)
+ {
+ 	/* if mechanism is not supported, skip */
+-	const char *const *mechs = passdb->passdb->mechanisms;
+-	const char *const *username_filter = passdb->passdb->username_filter;
++	const char *const *mechs = passdb->mechanisms;
++	const char *const *username_filter = passdb->username_filter;
+ 	const char *username;
+ 
+ 	username = request->fields.user;
+@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct aut
+ 		return TRUE;
+ 	}
+ 
+-	if (passdb->passdb->username_filter != NULL &&
++	if (passdb->username_filter != NULL &&
+ 	    !auth_request_username_accepted(username_filter, username)) {
+ 		auth_request_log_debug(request,
+ 				       request->mech != NULL ? AUTH_SUBSYS_MECH
+Index: dovecot/src/auth/auth.c
+===================================================================
+--- dovecot.orig/src/auth/auth.c
++++ dovecot/src/auth/auth.c
+@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, c
+ 	auth_passdb->override_fields_tmpl =
+ 		passdb_template_build(auth->pool, set->override_fields);
+ 
++	if (*set->mechanisms == '\0') {
++		auth_passdb->mechanisms = NULL;
++	} else if (strcasecmp(set->mechanisms, "none") == 0) {
++		auth_passdb->mechanisms = (const char *const[]){ NULL };
++	} else {
++		auth_passdb->mechanisms =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->mechanisms, " ,");
++	}
++
++	if (*set->username_filter == '\0') {
++		auth_passdb->username_filter = NULL;
++	} else {
++		auth_passdb->username_filter =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->username_filter, " ,");
++	}
++
+ 	/* for backwards compatibility: */
+ 	if (set->pass)
+ 		auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+Index: dovecot/src/auth/auth.h
+===================================================================
+--- dovecot.orig/src/auth/auth.h
++++ dovecot/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ 	struct passdb_template *default_fields_tmpl;
+ 	struct passdb_template *override_fields_tmpl;
+ 
++	/* Supported authentication mechanisms, NULL is all, {NULL} is none */
++	const char *const *mechanisms;
++	/* Username filter, NULL is no filter */
++	const char *const *username_filter;
++
+ 	enum auth_passdb_skip skip;
+ 	enum auth_db_rule result_success;
+ 	enum auth_db_rule result_failure;
+Index: dovecot/src/auth/passdb.c
+===================================================================
+--- dovecot.orig/src/auth/passdb.c
++++ dovecot/src/auth/passdb.c
+@@ -226,19 +226,8 @@ passdb_preinit(pool_t pool, const struct
+ 	passdb->id = ++auth_passdb_id;
+ 	passdb->iface = *iface;
+ 	passdb->args = p_strdup(pool, set->args);
+-	if (*set->mechanisms == '\0') {
+-		passdb->mechanisms = NULL;
+-	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+-		passdb->mechanisms = (const char *const[]){NULL};
+-	} else {
+-		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+-	}
+-
+-	if (*set->username_filter == '\0') {
+-		passdb->username_filter = NULL;
+-	} else {
+-		passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+-	}
++	/* NOTE: if anything else than driver & args are added here,
++	   passdb_find() also needs to be updated. */
+ 	array_push_back(&passdb_modules, &passdb);
+ 	return passdb;
+ }
+Index: dovecot/src/auth/passdb.h
+===================================================================
+--- dovecot.orig/src/auth/passdb.h
++++ dovecot/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ 	/* Default password scheme for this module.
+ 	   If default_cache_key is set, must not be NULL. */
+ 	const char *default_pass_scheme;
+-	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+-	const char *const *mechanisms;
+-	/* Username filter, NULL is no filter */
+-	const char *const *username_filter;
+ 
+ 	/* If blocking is set to TRUE, use child processes to access
+ 	   this passdb. */
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/series dovecot-2.3.13+dfsg1/debian/patches/series
--- dovecot-2.3.13+dfsg1/debian/patches/series	2021-07-19 15:05:12.000000000 -0700
+++ dovecot-2.3.13+dfsg1/debian/patches/series	2022-07-31 17:47:06.000000000 -0700
@@ -18,3 +18,5 @@
 Improve-cross-compile-support.patch
 CVE-2021-29157.patch
 CVE-2021-33515.patch
+auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
+auth-Add-a-comment-about-updating-userdb_find.patch
diff -Nru dovecot-2.3.13+dfsg1/debian/salsa-ci.yml dovecot-2.3.13+dfsg1/debian/salsa-ci.yml
--- dovecot-2.3.13+dfsg1/debian/salsa-ci.yml	2021-07-19 06:46:55.000000000 -0700
+++ dovecot-2.3.13+dfsg1/debian/salsa-ci.yml	2022-07-31 17:47:06.000000000 -0700
@@ -6,3 +6,4 @@
 variables:
   SALSA_CI_LINTIAN_FAIL_WARNING: 1
   SALSA_CI_DISABLE_REPROTEST: 1
+  RELEASE: 'bullseye'

Reply to:

Follow-Ups:
- Bug#1016458: bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1016458: bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1016458: dovecot 2.3.13+dfsg1-2+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Next by Date: Processed: Re: Bug#1015254: transition: opencascade
Next by thread: Bug#1016458: bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1
Index(es):
- Date
- Thread