Bug#969066: buster-pu: package dovecot/1:2.3.4.1-5+deb10u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#969066: buster-pu: package dovecot/1:2.3.4.1-5+deb10u4
From: Noah Meyerhans <noahm@debian.org>
Date: Wed, 26 Aug 2020 15:58:37 -0700
Message-id: <[🔎] 159848271736.140651.10369438555742285534.reportbug@doom.morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 969066@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to fix two upstream regressions in the dovecot version in buster.
These are documented in:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930919
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928492

The changes are small and the relevant upstream commits apply cleanly.  Both
issues have been confirmed fixed in unstable and testing, as well as in the
proposed buster updates.

There's already a buster security upload queued for the next buster point
release.  The included debdiff is against that version, but I expect that
the upload should include the .changes content since the latest one actually
in the archive.  Please confirm that.  (That would be changelog entries for
both 1:2.3.4.1-5+deb10u3 and 1:2.3.4.1-5+deb10u4.)

noah

diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog	2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/changelog	2020-08-26 13:54:40.000000000 -0700
@@ -1,5 +1,14 @@
+dovecot (1:2.3.4.1-5+deb10u4) buster; urgency=medium
+
+  * Import upstream fix for dsync sieve filter sync regression
+    (Closes: #930919)
+  * userdb-passwd: Fix getpwent errno handling (Closes: #928492)
+
+ -- Noah Meyerhans <noahm@debian.org>  Wed, 26 Aug 2020 13:54:40 -0700
+
 dovecot (1:2.3.4.1-5+deb10u3) buster-security; urgency=high
 
+  * Stable security update (Closes: #968302)
   * Fix CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to
     resource exhaustion as Dovecot attempts to parse it.
   * CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check
diff -Nru dovecot-2.3.4.1/debian/patches/bug928492.patch dovecot-2.3.4.1/debian/patches/bug928492.patch
--- dovecot-2.3.4.1/debian/patches/bug928492.patch	1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/bug928492.patch	2020-08-26 13:54:40.000000000 -0700
@@ -0,0 +1,46 @@
+From 414a7db1d15e57433dfc222bd6bf253c83166408 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@dovecot.fi>
+Date: Fri, 5 Oct 2018 10:18:35 +0300
+Subject: [PATCH] userdb-passwd: Fix getpwent errno handling
+
+In https://bugs.gentoo.org/667118 Reuben Farrelly
+noticed that running
+    # doveadm user '*'
+causes auth daemon to generate errors like:
+    auth-worker(3585): Error: getpwent() failed: Invalid argument
+
+This happens because on successful call getpwent()
+now sets errno=EINVAL starting from glibc-2.28.
+See https://sourceware.org/PR16004 for details.
+
+The fix is to reset 'errno' before 'getpwent()' is called.
+
+Reported-by: Reuben Farrelly
+Bug: https://bugs.gentoo.org/667118
+Bug: https://sourceware.org/PR16004
+Original-Author: Sergei Trofimovich <slyfox@gentoo.org>
+---
+ src/auth/userdb-passwd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c
+index ee8edf04ee..708762b84a 100644
+--- a/src/auth/userdb-passwd.c
++++ b/src/auth/userdb-passwd.c
+@@ -172,12 +172,16 @@ static void passwd_iterate_next(struct userdb_iterate_context *_ctx)
+ 		return;
+ 	}
+ 
++	/* reset errno since it might have been set when we got here */
+ 	errno = 0;
+ 	while ((pw = getpwent()) != NULL) {
+ 		if (passwd_iterate_want_pw(pw, set)) {
+ 			_ctx->callback(pw->pw_name, _ctx->context);
+ 			return;
+ 		}
++		/* getpwent might set errno to something even if it
++		   returns non-NULL. */
++		errno = 0;
+ 	}
+ 	if (errno != 0) {
+ 		i_error("getpwent() failed: %m");
diff -Nru dovecot-2.3.4.1/debian/patches/debian-changes dovecot-2.3.4.1/debian/patches/debian-changes
--- dovecot-2.3.4.1/debian/patches/debian-changes	2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/patches/debian-changes	2020-08-26 13:54:40.000000000 -0700
@@ -93780,7 +93780,7 @@
 +#endif
 --- /dev/null
 +++ dovecot-2.3.4.1/pigeonhole/src/plugins/doveadm-sieve/doveadm-sieve-sync.c
-@@ -0,0 +1,747 @@
+@@ -0,0 +1,746 @@
 +/* Copyright (c) 2002-2018 Pigeonhole authors, see the included COPYING file
 + */
 +
@@ -94390,8 +94390,7 @@
 +	siter->super = sbox->super.attribute_iter_init(box, type, prefix);
 +
 +	if (box->storage->user->dsyncing &&
-+	    type == MAIL_ATTRIBUTE_TYPE_PRIVATE &&
-+	    str_begins(prefix, MAILBOX_ATTRIBUTE_PREFIX_SIEVE)) {
++	    type == MAIL_ATTRIBUTE_TYPE_PRIVATE) {
 +		if (sieve_attribute_iter_script_init(siter) < 0)
 +			siter->failed = TRUE;
 +	}
diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series	2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/patches/series	2020-08-26 13:54:40.000000000 -0700
@@ -51,4 +51,5 @@
 CVE-2020-12100/0016-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
 CVE-2020-12673.patch
 CVE-2020-12674/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
+bug928492.patch
 debian-changes

Reply to:

Prev by Date: Bug#969009: transition: sleuthkit
Next by Date: Processed: buster update prepared
Previous by thread: Re: Go issues wrt. Debian infrastructure: moving forward
Next by thread: Processed: buster update prepared
Index(es):
- Date
- Thread