--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package dovecot/1:2.3.4.1-5+deb10u6
- From: Noah Meyerhans <noahm@debian.org>
- Date: Wed, 27 Jan 2021 21:07:29 -0800
- Message-id: <161181044923.4752.14957430524271362241.reportbug@localhost.localdomain>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to update the dovecot IMAP suite in buster to address bug #970386.
This bug involves a server crash that's triggered when issuing a server-side
full-text search against a mailbox containing messages with certain malformed
MIME components. The fix cherry-picked cleanly from upstream and I have
confirmed that it addresses the issue.
Thanks
noah
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog 2020-12-28 15:18:55.000000000 -0800
+++ dovecot-2.3.4.1/debian/changelog 2021-01-27 16:35:17.000000000 -0800
@@ -1,3 +1,10 @@
+dovecot (1:2.3.4.1-5+deb10u6) buster; urgency=medium
+
+ * Backport upstream fix for crash that occurred when searching mailboxes
+ containing malformed MIME messages. (Closes: #970386)
+
+ -- Noah Meyerhans <noahm@debian.org> Wed, 27 Jan 2021 16:35:17 -0800
+
dovecot (1:2.3.4.1-5+deb10u5) buster-security; urgency=high
* Import upstream fix for security issues:
diff -Nru dovecot-2.3.4.1/debian/patches/bug970386.patch dovecot-2.3.4.1/debian/patches/bug970386.patch
--- dovecot-2.3.4.1/debian/patches/bug970386.patch 1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/bug970386.patch 2021-01-27 16:35:17.000000000 -0800
@@ -0,0 +1,90 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970386
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 31 Aug 2020 20:38:42 +0300
+Subject: [PATCH] lib-mail: message_parser_init_from_parts() - Fix crash if
+ MIME boundaries don't end
+
+If the last "boundary--" doens't exist, the parsing assert-crashed at
+deinit. This mainly happened when searching mails.
+
+Fixes:
+Panic: file message-parser.c: line 175 (message_part_finish): assertion failed: (ctx->nested_parts_count > 0)
+---
+ src/lib-mail/message-parser.c | 13 ++++++++-----
+ src/lib-mail/test-message-parser.c | 21 ++++++++++++++++++++-
+ 2 files changed, 28 insertions(+), 6 deletions(-)
+
+Index: dovecot/src/lib-mail/message-parser.c
+===================================================================
+--- dovecot.orig/src/lib-mail/message-parser.c
++++ dovecot/src/lib-mail/message-parser.c
+@@ -138,6 +138,7 @@ message_part_append(struct message_parse
+ struct message_part *parent = ctx->part;
+ struct message_part *part;
+
++ i_assert(!ctx->preparsed);
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+ MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0);
+@@ -171,12 +172,14 @@ static void message_part_finish(struct m
+ {
+ struct message_part **const *parent_next_partp;
+
+- i_assert(ctx->nested_parts_count > 0);
+- ctx->nested_parts_count--;
+-
+- parent_next_partp = array_back(&ctx->next_part_stack);
+- array_pop_back(&ctx->next_part_stack);
+- ctx->next_part = *parent_next_partp;
++ if (!ctx->preparsed) {
++ i_assert(ctx->nested_parts_count > 0);
++ ctx->nested_parts_count--;
++
++ parent_next_partp = array_back(&ctx->next_part_stack);
++ array_pop_back(&ctx->next_part_stack);
++ ctx->next_part = *parent_next_partp;
++ }
+
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
+Index: dovecot/src/lib-mail/test-message-parser.c
+===================================================================
+--- dovecot.orig/src/lib-mail/test-message-parser.c
++++ dovecot/src/lib-mail/test-message-parser.c
+@@ -180,9 +180,10 @@ static void test_message_parser_small_bl
+ static void test_message_parser_stop_early(void)
+ {
+ struct message_parser_ctx *parser;
+- struct istream *input;
++ struct istream *input, *input2;
+ struct message_part *parts;
+ struct message_block block;
++ const char *error;
+ unsigned int i;
+ pool_t pool;
+ int ret;
+@@ -200,6 +201,24 @@ static void test_message_parser_stop_ear
+ &block)) > 0) ;
+ test_assert(ret == 0);
+ message_parser_deinit(&parser, &parts);
++
++ /* test preparsed - first re-parse everything with a stream
++ that sees EOF at this position */
++ input2 = i_stream_create_from_data(test_msg, i);
++ parser = message_parser_init(pool, input2, &set_empty);
++ while ((ret = message_parser_parse_next_block(parser,
++ &block)) > 0) ;
++ test_assert(ret == -1);
++ message_parser_deinit(&parser, &parts);
++
++ /* now parse from the parts */
++ i_stream_seek(input2, 0);
++ parser = message_parser_init_from_parts(parts, input2, &set_empty);
++ while ((ret = message_parser_parse_next_block(parser,
++ &block)) > 0) ;
++ test_assert(ret == -1);
++ test_assert(message_parser_deinit_from_parts(&parser, &parts, &error) == 0);
++ i_stream_unref(&input2);
+ }
+
+ i_stream_unref(&input);
diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series 2020-12-28 15:18:55.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/series 2021-01-27 16:35:17.000000000 -0800
@@ -56,4 +56,5 @@
CVE-2020-24386/0002-imap-Add-unit-test-for-imap-client-hibernate.patch
CVE-2020-25275/0001-lib-mail-message-parser-Fix-assert-crash-when-enforc.patch
CVE-2020-25275/0002-lib-imap-Don-t-generate-invalid-BODYSTRUCTURE-when-r.patch
+bug970386.patch
debian-changes
--- End Message ---