[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1016458: marked as done (bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1)

Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1016458,
regarding bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1016458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016458
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Dovecot 2.3.13+dfsg1-2+deb11u1 contains a backported fix for #1016351
(CVE-2022-30550).  The fix is cherry-picked from upstream and is identical
to the fix recently uploaded to unstable in dovecot_2.3.19.1+dfsg1-2.  The
stable security team and the package maintainers have determined that this
issue does not warrant a DSA and should be fixed in the next bullseye
point release.

Debdiff is attached.  Note that it contains one additional minor change to
switch the salsa gitlab ci configuration to use bullseye runners.

noah

diff -Nru dovecot-2.3.13+dfsg1/debian/changelog dovecot-2.3.13+dfsg1/debian/changelog
--- dovecot-2.3.13+dfsg1/debian/changelog	2021-07-20 08:05:19.000000000 -0700
+++ dovecot-2.3.13+dfsg1/debian/changelog	2022-07-31 17:47:06.000000000 -0700
@@ -1,3 +1,10 @@
+dovecot (1:2.3.13+dfsg1-2+deb11u1) bullseye; urgency=medium
+
+  * [4b5dac8] d/patches: cherry-pick fix for CVE-2022-30550 (Closes: #1016351)
+  * [597ba7f] salsa-ci: build with bullseye
+
+ -- Noah Meyerhans <noahm@debian.org>  Sun, 31 Jul 2022 17:47:06 -0700
+
 dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high
 
   * Import upstream fixes for security issues (Closes: #990566):
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
--- dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch	1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch	2022-07-31 17:47:06.000000000 -0700
@@ -0,0 +1,22 @@
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 16 May 2022 14:58:45 +0200
+Subject: auth: Add a comment about updating userdb_find()
+
+---
+ src/auth/userdb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: dovecot/src/auth/userdb.c
+===================================================================
+--- dovecot.orig/src/auth/userdb.c
++++ dovecot/src/auth/userdb.c
+@@ -162,7 +162,8 @@ userdb_preinit(pool_t pool, const struct
+ 	userdb->id = ++auth_userdb_id;
+ 	userdb->iface = iface;
+ 	userdb->args = p_strdup(pool, set->args);
+-
++	/* NOTE: if anything else than driver & args are added here,
++	   userdb_find() also needs to be updated. */
+ 	array_push_back(&userdb_modules, &userdb);
+ 	return userdb;
+ }
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
--- dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch	1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch	2022-07-31 17:47:06.000000000 -0700
@@ -0,0 +1,130 @@
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: auth: Fix handling passdbs with identical driver/args but different
+ mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c |  6 +++---
+ src/auth/auth.c         | 18 ++++++++++++++++++
+ src/auth/auth.h         |  5 +++++
+ src/auth/passdb.c       | 15 ++-------------
+ src/auth/passdb.h       |  4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+Index: dovecot/src/auth/auth-request.c
+===================================================================
+--- dovecot.orig/src/auth/auth-request.c
++++ dovecot/src/auth/auth-request.c
+@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct aut
+ 			      struct auth_passdb *passdb)
+ {
+ 	/* if mechanism is not supported, skip */
+-	const char *const *mechs = passdb->passdb->mechanisms;
+-	const char *const *username_filter = passdb->passdb->username_filter;
++	const char *const *mechs = passdb->mechanisms;
++	const char *const *username_filter = passdb->username_filter;
+ 	const char *username;
+ 
+ 	username = request->fields.user;
+@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct aut
+ 		return TRUE;
+ 	}
+ 
+-	if (passdb->passdb->username_filter != NULL &&
++	if (passdb->username_filter != NULL &&
+ 	    !auth_request_username_accepted(username_filter, username)) {
+ 		auth_request_log_debug(request,
+ 				       request->mech != NULL ? AUTH_SUBSYS_MECH
+Index: dovecot/src/auth/auth.c
+===================================================================
+--- dovecot.orig/src/auth/auth.c
++++ dovecot/src/auth/auth.c
+@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, c
+ 	auth_passdb->override_fields_tmpl =
+ 		passdb_template_build(auth->pool, set->override_fields);
+ 
++	if (*set->mechanisms == '\0') {
++		auth_passdb->mechanisms = NULL;
++	} else if (strcasecmp(set->mechanisms, "none") == 0) {
++		auth_passdb->mechanisms = (const char *const[]){ NULL };
++	} else {
++		auth_passdb->mechanisms =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->mechanisms, " ,");
++	}
++
++	if (*set->username_filter == '\0') {
++		auth_passdb->username_filter = NULL;
++	} else {
++		auth_passdb->username_filter =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->username_filter, " ,");
++	}
++
+ 	/* for backwards compatibility: */
+ 	if (set->pass)
+ 		auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+Index: dovecot/src/auth/auth.h
+===================================================================
+--- dovecot.orig/src/auth/auth.h
++++ dovecot/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ 	struct passdb_template *default_fields_tmpl;
+ 	struct passdb_template *override_fields_tmpl;
+ 
++	/* Supported authentication mechanisms, NULL is all, {NULL} is none */
++	const char *const *mechanisms;
++	/* Username filter, NULL is no filter */
++	const char *const *username_filter;
++
+ 	enum auth_passdb_skip skip;
+ 	enum auth_db_rule result_success;
+ 	enum auth_db_rule result_failure;
+Index: dovecot/src/auth/passdb.c
+===================================================================
+--- dovecot.orig/src/auth/passdb.c
++++ dovecot/src/auth/passdb.c
+@@ -226,19 +226,8 @@ passdb_preinit(pool_t pool, const struct
+ 	passdb->id = ++auth_passdb_id;
+ 	passdb->iface = *iface;
+ 	passdb->args = p_strdup(pool, set->args);
+-	if (*set->mechanisms == '\0') {
+-		passdb->mechanisms = NULL;
+-	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+-		passdb->mechanisms = (const char *const[]){NULL};
+-	} else {
+-		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+-	}
+-
+-	if (*set->username_filter == '\0') {
+-		passdb->username_filter = NULL;
+-	} else {
+-		passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+-	}
++	/* NOTE: if anything else than driver & args are added here,
++	   passdb_find() also needs to be updated. */
+ 	array_push_back(&passdb_modules, &passdb);
+ 	return passdb;
+ }
+Index: dovecot/src/auth/passdb.h
+===================================================================
+--- dovecot.orig/src/auth/passdb.h
++++ dovecot/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ 	/* Default password scheme for this module.
+ 	   If default_cache_key is set, must not be NULL. */
+ 	const char *default_pass_scheme;
+-	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+-	const char *const *mechanisms;
+-	/* Username filter, NULL is no filter */
+-	const char *const *username_filter;
+ 
+ 	/* If blocking is set to TRUE, use child processes to access
+ 	   this passdb. */
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/series dovecot-2.3.13+dfsg1/debian/patches/series
--- dovecot-2.3.13+dfsg1/debian/patches/series	2021-07-19 15:05:12.000000000 -0700
+++ dovecot-2.3.13+dfsg1/debian/patches/series	2022-07-31 17:47:06.000000000 -0700
@@ -18,3 +18,5 @@
 Improve-cross-compile-support.patch
 CVE-2021-29157.patch
 CVE-2021-33515.patch
+auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
+auth-Add-a-comment-about-updating-userdb_find.patch
diff -Nru dovecot-2.3.13+dfsg1/debian/salsa-ci.yml dovecot-2.3.13+dfsg1/debian/salsa-ci.yml
--- dovecot-2.3.13+dfsg1/debian/salsa-ci.yml	2021-07-19 06:46:55.000000000 -0700
+++ dovecot-2.3.13+dfsg1/debian/salsa-ci.yml	2022-07-31 17:47:06.000000000 -0700
@@ -6,3 +6,4 @@
 variables:
   SALSA_CI_LINTIAN_FAIL_WARNING: 1
   SALSA_CI_DISABLE_REPROTEST: 1
+  RELEASE: 'bullseye'

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---
Reply to: