Bug#866679: stretch-pu: package dovecot/1:2.2.27-3+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear SRMs,
I would like to update dovecot in Stretch to fix #865945, which
currently makes dovecot-solr unusable, as it sends malformed solr
queries by default. The fix is a simple backport of the relevant
upstream commit.
While at it, I'd also like to add the DEP-8 tests from unstable, to
improve the package quality.
Full source debdiff attached.
Regards,
Apollon
diff -Nru dovecot-2.2.27/debian/changelog dovecot-2.2.27/debian/changelog
--- dovecot-2.2.27/debian/changelog 2017-04-11 00:46:54.000000000 +0300
+++ dovecot-2.2.27/debian/changelog 2017-06-30 22:01:28.000000000 +0300
@@ -1,3 +1,12 @@
+dovecot (1:2.2.27-3+deb9u1) stretch; urgency=medium
+
+ * [8b8226f] Fix fts-solr: escape {} chars when sending queries (Closes:
+ #865945)
+ * [a97cdab] Add basic usage DEP-8 tests, performing end-to-end testing using
+ LDA, IMAP and POP3.
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org> Fri, 30 Jun 2017 22:01:28 +0300
+
dovecot (1:2.2.27-3) unstable; urgency=high
* [117285a] Remove /etc/dovecot/README (Closes: #849290)
diff -Nru dovecot-2.2.27/debian/patches/escape-fts-solr-chars.patch dovecot-2.2.27/debian/patches/escape-fts-solr-chars.patch
--- dovecot-2.2.27/debian/patches/escape-fts-solr-chars.patch 1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/patches/escape-fts-solr-chars.patch 2017-06-30 22:01:28.000000000 +0300
@@ -0,0 +1,54 @@
+From acd32d7ec190d9a3078d38249434673ba5968d85 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@dovecot.fi>
+Date: Mon, 16 Jan 2017 23:55:17 +0200
+Subject: [PATCH] fts-solr: Escape {} chars when sending queries
+
+Fixes:
+java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
+
+Based on patch by Michael Welsh Duggan
+
+diff --git a/src/plugins/fts-solr/fts-backend-solr-old.c b/src/plugins/fts-solr/fts-backend-solr-old.c
+index 5ffbc8ad8..ae4e95ba2 100644
+--- a/src/plugins/fts-solr/fts-backend-solr-old.c
++++ b/src/plugins/fts-solr/fts-backend-solr-old.c
+@@ -701,7 +701,7 @@ fts_backend_solr_lookup(struct fts_backend *_backend, struct mailbox *box,
+ &status);
+
+ str = t_str_new(256);
+- str_printfa(str, "fl=uid,score&rows=%u&sort=uid+asc&q={!lucene+q.op%%3dAND}",
++ str_printfa(str, "fl=uid,score&rows=%u&sort=uid+asc&q=%%7b!lucene+q.op%%3dAND%%7d",
+ status.uidnext);
+
+ if (!solr_add_definite_query_args(str, args, and_args)) {
+@@ -834,7 +834,7 @@ fts_backend_solr_lookup_multi(struct fts_backend *_backend,
+ fts_solr_set_default_ns(backend);
+
+ str = t_str_new(256);
+- str_printfa(str, "fl=ns,box,uidv,uid,score&rows=%u&sort=box+asc,uid+asc&q={!lucene+q.op%%3dAND}",
++ str_printfa(str, "fl=ns,box,uidv,uid,score&rows=%u&sort=box+asc,uid+asc&q=%%7b!lucene+q.op%%3dAND%%7d",
+ SOLR_MAX_MULTI_ROWS);
+
+ if (solr_add_definite_query_args(str, args, and_args)) {
+diff --git a/src/plugins/fts-solr/fts-backend-solr.c b/src/plugins/fts-solr/fts-backend-solr.c
+index 3d9bc8a50..b6d8bfcc3 100644
+--- a/src/plugins/fts-solr/fts-backend-solr.c
++++ b/src/plugins/fts-solr/fts-backend-solr.c
+@@ -828,7 +828,7 @@ fts_backend_solr_lookup(struct fts_backend *_backend, struct mailbox *box,
+ mailbox_get_open_status(box, STATUS_UIDNEXT, &status);
+
+ str = t_str_new(256);
+- str_printfa(str, "fl=uid,score&rows=%u&sort=uid+asc&q={!lucene+q.op%%3dAND}",
++ str_printfa(str, "fl=uid,score&rows=%u&sort=uid+asc&q=%%7b!lucene+q.op%%3dAND%%7d",
+ status.uidnext);
+ prefix_len = str_len(str);
+
+@@ -937,7 +937,7 @@ fts_backend_solr_lookup_multi(struct fts_backend *backend,
+ string_t *str;
+
+ str = t_str_new(256);
+- str_printfa(str, "fl=box,uid,score&rows=%u&sort=box+asc,uid+asc&q={!lucene+q.op%%3dAND}",
++ str_printfa(str, "fl=box,uid,score&rows=%u&sort=box+asc,uid+asc&q=%%7b!lucene+q.op%%3dAND%%7d",
+ SOLR_MAX_MULTI_ROWS);
+
+ if (solr_add_definite_query_args(str, args, and_args)) {
diff -Nru dovecot-2.2.27/debian/patches/series dovecot-2.2.27/debian/patches/series
--- dovecot-2.2.27/debian/patches/series 2017-04-11 00:46:54.000000000 +0300
+++ dovecot-2.2.27/debian/patches/series 2017-06-30 22:01:28.000000000 +0300
@@ -10,3 +10,4 @@
libnss_location.patch
fix-sha3-on-big-endian.patch
CVE-2017-2669
+escape-fts-solr-chars.patch
diff -Nru dovecot-2.2.27/debian/tests/control dovecot-2.2.27/debian/tests/control
--- dovecot-2.2.27/debian/tests/control 2017-04-11 00:46:54.000000000 +0300
+++ dovecot-2.2.27/debian/tests/control 2017-06-30 22:01:28.000000000 +0300
@@ -4,3 +4,7 @@
Tests: systemd
Depends: dovecot-core, systemd-sysv
+
+Test-Command: run-parts --report --exit-on-error debian/tests/usage
+Depends: dovecot-imapd, dovecot-pop3d, python3
+Restrictions: needs-root, breaks-testbed, allow-stderr
diff -Nru dovecot-2.2.27/debian/tests/usage/00_setup dovecot-2.2.27/debian/tests/usage/00_setup
--- dovecot-2.2.27/debian/tests/usage/00_setup 1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/tests/usage/00_setup 2017-06-30 22:01:28.000000000 +0300
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+set -e
+
+echo "Setting up dovecot for the test"
+# Move aside 10-auth.conf to disable passwd-based auth
+if [ -f /etc/dovecot/conf.d/10-auth.conf ]; then
+ mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.bak
+fi
+
+cat >/etc/dovecot/local.conf <<-EOF
+ auth_mechanisms = plain
+ mail_location = maildir:~/Maildir
+
+ passdb {
+ driver = static
+ args = password=test
+ }
+
+ userdb {
+ driver = static
+ args = uid=nobody gid=nogroup home=/srv/dovecot-dep8/%u
+ }
+EOF
+
+mkdir -p /srv/dovecot-dep8
+chown nobody:nogroup /srv/dovecot-dep8
+
+echo "Restarting the service"
+systemctl restart dovecot
+
+echo "Sending a test message via the LDA"
+/usr/lib/dovecot/dovecot-lda -f "test@example.com" -d dep8 <<EOF
+Return-Path: <test@example.com>
+Message-Id: <dep8-test-1@debian.org>
+From: Test User <test@example.com>
+To: dep8 <dep8@example.com>
+Subject: DEP-8 test
+
+This is just a test
+EOF
+
+echo "Verifying that the email was correctly delivered"
+if [ -z "$(doveadm search -u dep8 header message-id dep8-test-1@debian.org)" ]; then
+ echo "Message not found"
+ exit 1
+fi
+
+echo "Done"
+echo
diff -Nru dovecot-2.2.27/debian/tests/usage/imap dovecot-2.2.27/debian/tests/usage/imap
--- dovecot-2.2.27/debian/tests/usage/imap 1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/tests/usage/imap 2017-06-30 22:01:28.000000000 +0300
@@ -0,0 +1,33 @@
+#!/usr/bin/python3
+import imaplib
+
+imaplib.Debug = 4
+
+print("Testing IMAP")
+print("Connecting")
+client = imaplib.IMAP4('localhost')
+
+print("Logging in")
+client.login('dep8', 'test')
+
+print("Selecting INBOX")
+client.select()
+
+print("Looking for the test message")
+res, uids = client.search(None, 'HEADER', 'MESSAGE-ID', '"<dep8-test-1@debian.org>"')
+
+assert res == 'OK'
+assert len(uids[0]) > 0
+
+uid = uids[0].split()[0]
+
+print("Fetching and verifying test message")
+res, data = client.fetch(uid, '(RFC822)')
+
+assert res == 'OK'
+
+lines = data[0][1].splitlines()
+
+assert b'Subject: DEP-8 test' in lines
+
+print("Done")
diff -Nru dovecot-2.2.27/debian/tests/usage/pop3 dovecot-2.2.27/debian/tests/usage/pop3
--- dovecot-2.2.27/debian/tests/usage/pop3 1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/tests/usage/pop3 2017-06-30 22:01:28.000000000 +0300
@@ -0,0 +1,26 @@
+#!/usr/bin/python3
+import poplib
+
+print("Testing POP3")
+print("Connecting")
+client = poplib.POP3('localhost')
+client.set_debuglevel(2)
+
+print("Logging in")
+client.user('dep8')
+client.pass_('test')
+
+print("Listing INBOX")
+res, data, _ = client.list()
+assert res.startswith(b'+OK')
+
+print("Fetching and verifying test message")
+for entry in data:
+ _id, _ = entry.split(maxsplit=1)
+ res, body, _ = client.retr(int(_id))
+ if b'Subject: DEP-8 test' in body:
+ break
+else:
+ raise AssertionError("Test message not found")
+
+print("Done")
Reply to: