[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#981239: buster-pu: package dovecot/1:2.3.4.1-5+deb10u6

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to update the dovecot IMAP suite in buster to address bug #970386.
This bug involves a server crash that's triggered when issuing a server-side
full-text search against a mailbox containing messages with certain malformed
MIME components.  The fix cherry-picked cleanly from upstream and I have
confirmed that it addresses the issue.

Thanks
noah

diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog	2020-12-28 15:18:55.000000000 -0800
+++ dovecot-2.3.4.1/debian/changelog	2021-01-27 16:35:17.000000000 -0800
@@ -1,3 +1,10 @@
+dovecot (1:2.3.4.1-5+deb10u6) buster; urgency=medium
+
+  * Backport upstream fix for crash that occurred when searching mailboxes
+    containing malformed MIME messages. (Closes: #970386)
+
+ -- Noah Meyerhans <noahm@debian.org>  Wed, 27 Jan 2021 16:35:17 -0800
+
 dovecot (1:2.3.4.1-5+deb10u5) buster-security; urgency=high
 
   * Import upstream fix for security issues:
diff -Nru dovecot-2.3.4.1/debian/patches/bug970386.patch dovecot-2.3.4.1/debian/patches/bug970386.patch
--- dovecot-2.3.4.1/debian/patches/bug970386.patch	1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/bug970386.patch	2021-01-27 16:35:17.000000000 -0800
@@ -0,0 +1,90 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970386
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 31 Aug 2020 20:38:42 +0300
+Subject: [PATCH] lib-mail: message_parser_init_from_parts() - Fix crash if
+ MIME boundaries don't end
+
+If the last "boundary--" doens't exist, the parsing assert-crashed at
+deinit. This mainly happened when searching mails.
+
+Fixes:
+Panic: file message-parser.c: line 175 (message_part_finish): assertion failed: (ctx->nested_parts_count > 0)
+---
+ src/lib-mail/message-parser.c      | 13 ++++++++-----
+ src/lib-mail/test-message-parser.c | 21 ++++++++++++++++++++-
+ 2 files changed, 28 insertions(+), 6 deletions(-)
+
+Index: dovecot/src/lib-mail/message-parser.c
+===================================================================
+--- dovecot.orig/src/lib-mail/message-parser.c
++++ dovecot/src/lib-mail/message-parser.c
+@@ -138,6 +138,7 @@ message_part_append(struct message_parse
+ 	struct message_part *parent = ctx->part;
+ 	struct message_part *part;
+ 
++	i_assert(!ctx->preparsed);
+ 	i_assert(parent != NULL);
+ 	i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+ 				   MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0);
+@@ -171,12 +172,14 @@ static void message_part_finish(struct m
+ {
+ 	struct message_part **const *parent_next_partp;
+ 
+-	i_assert(ctx->nested_parts_count > 0);
+-	ctx->nested_parts_count--;
+-
+-	parent_next_partp = array_back(&ctx->next_part_stack);
+-	array_pop_back(&ctx->next_part_stack);
+-	ctx->next_part = *parent_next_partp;
++	if (!ctx->preparsed) {
++		i_assert(ctx->nested_parts_count > 0);
++		ctx->nested_parts_count--;
++
++		parent_next_partp = array_back(&ctx->next_part_stack);
++		array_pop_back(&ctx->next_part_stack);
++		ctx->next_part = *parent_next_partp;
++	}
+ 
+ 	message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+ 	message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
+Index: dovecot/src/lib-mail/test-message-parser.c
+===================================================================
+--- dovecot.orig/src/lib-mail/test-message-parser.c
++++ dovecot/src/lib-mail/test-message-parser.c
+@@ -180,9 +180,10 @@ static void test_message_parser_small_bl
+ static void test_message_parser_stop_early(void)
+ {
+ 	struct message_parser_ctx *parser;
+-	struct istream *input;
++	struct istream *input, *input2;
+ 	struct message_part *parts;
+ 	struct message_block block;
++	const char *error;
+ 	unsigned int i;
+ 	pool_t pool;
+ 	int ret;
+@@ -200,6 +201,24 @@ static void test_message_parser_stop_ear
+ 							      &block)) > 0) ;
+ 		test_assert(ret == 0);
+ 		message_parser_deinit(&parser, &parts);
++
++		/* test preparsed - first re-parse everything with a stream
++		   that sees EOF at this position */
++		input2 = i_stream_create_from_data(test_msg, i);
++		parser = message_parser_init(pool, input2, &set_empty);
++		while ((ret = message_parser_parse_next_block(parser,
++							      &block)) > 0) ;
++		test_assert(ret == -1);
++		message_parser_deinit(&parser, &parts);
++
++		/* now parse from the parts */
++		i_stream_seek(input2, 0);
++		parser = message_parser_init_from_parts(parts, input2, &set_empty);
++		while ((ret = message_parser_parse_next_block(parser,
++							      &block)) > 0) ;
++		test_assert(ret == -1);
++		test_assert(message_parser_deinit_from_parts(&parser, &parts, &error) == 0);
++		i_stream_unref(&input2);
+ 	}
+ 
+ 	i_stream_unref(&input);
diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series	2020-12-28 15:18:55.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/series	2021-01-27 16:35:17.000000000 -0800
@@ -56,4 +56,5 @@
 CVE-2020-24386/0002-imap-Add-unit-test-for-imap-client-hibernate.patch
 CVE-2020-25275/0001-lib-mail-message-parser-Fix-assert-crash-when-enforc.patch
 CVE-2020-25275/0002-lib-imap-Don-t-generate-invalid-BODYSTRUCTURE-when-r.patch
+bug970386.patch
 debian-changes
Reply to: