Bug#860085: unblock: dovecot/1:2.2.27-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock package dovecot
1:2.2.27-3 fixes a security issue (CVE-2017-2669 - #860049).
Additionally it includes a single change I had already queued up in git,
removing an irrelevant /etc/dovecot/README, which was registered as a
conffile and should have been removed a long time ago (see #849290).
Full source debdiff attached.
Thanks,
Apollon
unblock dovecot/1:2.2.27-3
diff -Nru dovecot-2.2.27/debian/changelog dovecot-2.2.27/debian/changelog
--- dovecot-2.2.27/debian/changelog 2016-12-15 22:24:56.000000000 +0200
+++ dovecot-2.2.27/debian/changelog 2017-04-11 00:46:54.000000000 +0300
@@ -1,3 +1,11 @@
+dovecot (1:2.2.27-3) unstable; urgency=high
+
+ * [117285a] Remove /etc/dovecot/README (Closes: #849290)
+ * [04e8ce3] auth: Do not double-expand key in passdb dict when
+ authenticating (CVE-2017-2669) (Closes: #860049)
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org> Tue, 11 Apr 2017 00:46:54 +0300
+
dovecot (1:2.2.27-2) unstable; urgency=medium
* [30586e3] Fix SHA3 on big-endian architectures.
diff -Nru dovecot-2.2.27/debian/dovecot-core.maintscript dovecot-2.2.27/debian/dovecot-core.maintscript
--- dovecot-2.2.27/debian/dovecot-core.maintscript 1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/dovecot-core.maintscript 2017-04-11 00:46:54.000000000 +0300
@@ -0,0 +1 @@
+rm_conffile /etc/dovecot/README 1:2.2.27-3~
diff -Nru dovecot-2.2.27/debian/patches/CVE-2017-2669 dovecot-2.2.27/debian/patches/CVE-2017-2669
--- dovecot-2.2.27/debian/patches/CVE-2017-2669 1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/patches/CVE-2017-2669 2017-04-11 00:43:09.000000000 +0300
@@ -0,0 +1,27 @@
+From 78c9c50cda5390bc748ed4962763df57650bc95a Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@dovecot.fi>
+Date: Mon, 6 Mar 2017 14:59:46 +0200
+Subject: [PATCH] auth: Do not double-expand key in passdb dict when
+ authenticating
+
+Broken by 79042f8c
+---
+ src/auth/db-dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/auth/db-dict.c b/src/auth/db-dict.c
+index 138ac0dc3..93b5aa268 100644
+--- a/src/auth/db-dict.c
++++ b/src/auth/db-dict.c
+@@ -408,7 +408,7 @@ static int db_dict_iter_lookup_key_values(struct db_dict_value_iter *iter)
+ continue;
+
+ str_truncate(path, strlen(DICT_PATH_SHARED));
+- var_expand(path, key->key->key, iter->var_expand_table);
++ str_append(path, key->key->key);
+ ret = dict_lookup(iter->conn->dict, iter->pool,
+ str_c(path), &key->value);
+ if (ret > 0) {
+--
+2.11.0
+
diff -Nru dovecot-2.2.27/debian/patches/series dovecot-2.2.27/debian/patches/series
--- dovecot-2.2.27/debian/patches/series 2016-12-15 22:23:28.000000000 +0200
+++ dovecot-2.2.27/debian/patches/series 2017-04-11 00:44:11.000000000 +0300
@@ -9,3 +9,4 @@
dovecot_name.patch
libnss_location.patch
fix-sha3-on-big-endian.patch
+CVE-2017-2669
diff -Nru dovecot-2.2.27/debian/rules dovecot-2.2.27/debian/rules
--- dovecot-2.2.27/debian/rules 2016-12-06 16:17:02.000000000 +0200
+++ dovecot-2.2.27/debian/rules 2017-01-27 02:44:58.000000000 +0200
@@ -125,6 +125,7 @@
$(MAKE) install DESTDIR=$(CORE_DIR)
$(MAKE) -C $(PIGEONHOLE_DIR) install DESTDIR=$(CORE_DIR)
rm `find $(CURDIR)/debian -name '*.la'`
+ rm debian/dovecot-core/etc/dovecot/README
override_dh_install:
chmod 0700 debian/dovecot-core/etc/dovecot/private
Reply to: