From 6e3858bd5ba4e5e408bbd6c19a195a2fd663fd51 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 08:52:02 +0000 Subject: import dovecot-2.3.8-2.el8 --- diff --git a/.dovecot.metadata b/.dovecot.metadata index 7144f2c..e2aab88 100644 --- a/.dovecot.metadata +++ b/.dovecot.metadata @@ -1,2 +1,2 @@ -09febe0f459ba26c526d8195b22179f39d48bc69 SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz -74c55736dfc92f586e2c75b7b4dd50816f63850b SOURCES/dovecot-2.2.36.tar.gz +b9c7290dad1ac3bc1ead11359812a137a3d173f7 SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz +65b93f7fd53705b3c97f9eee141a76c5f4f3a624 SOURCES/dovecot-2.3.8.tar.gz diff --git a/.gitignore b/.gitignore index 91761d7..c1a5ba9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz -SOURCES/dovecot-2.2.36.tar.gz +SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz +SOURCES/dovecot-2.3.8.tar.gz diff --git a/SOURCES/dovecot-2.0-defaultconfig.patch b/SOURCES/dovecot-2.0-defaultconfig.patch index 2d157c2..e3077f5 100644 --- a/SOURCES/dovecot-2.0-defaultconfig.patch +++ b/SOURCES/dovecot-2.0-defaultconfig.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings 2014-06-02 13:50:10.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf 2015-08-24 17:09:03.866648631 +0200 +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 @@ -165,7 +165,7 @@ namespace inbox { # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't @@ -10,7 +10,7 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having -@@ -283,6 +283,7 @@ namespace inbox { +@@ -322,6 +322,7 @@ protocol !indexer-worker { # them simultaneously. #mbox_read_locks = fcntl #mbox_write_locks = dotlock fcntl @@ -18,9 +18,9 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings 2014-10-03 16:36:00.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf 2015-08-24 17:10:49.536071649 +0200 +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 @@ -3,7 +3,9 @@ ## @@ -32,11 +32,11 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings d # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but -@@ -50,6 +52,7 @@ ssl_key = -Date: Wed, 29 Jun 2016 00:56:56 +0300 -Subject: [PATCH] auth: userdb passwd iteration now skips users not in - first/last_valid_gid range - -Patch by Michal Hlavinka / Red Hat ---- - src/auth/auth-settings.c | 4 ++++ - src/auth/auth-settings.h | 2 ++ - src/auth/userdb-passwd.c | 4 ++++ - 3 files changed, 10 insertions(+) - -diff -up dovecot-2.2.36/src/auth/auth-settings.c.gidcheck dovecot-2.2.36/src/auth/auth-settings.c ---- dovecot-2.2.36/src/auth/auth-settings.c.gidcheck 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/auth-settings.c 2018-09-17 12:17:13.132032699 +0200 -@@ -272,6 +272,8 @@ static const struct setting_define auth_ - DEF_NOPREFIX(SET_BOOL, verbose_proctitle), - DEF_NOPREFIX(SET_UINT, first_valid_uid), - DEF_NOPREFIX(SET_UINT, last_valid_uid), -+ DEF_NOPREFIX(SET_UINT, first_valid_gid), -+ DEF_NOPREFIX(SET_UINT, last_valid_gid), - - DEF_NOPREFIX(SET_STR, ssl_client_ca_dir), - DEF_NOPREFIX(SET_STR, ssl_client_ca_file), -@@ -331,6 +333,8 @@ static const struct auth_settings auth_d - .verbose_proctitle = FALSE, - .first_valid_uid = 500, - .last_valid_uid = 0, -+ .first_valid_gid = 1, -+ .last_valid_gid = 0, - }; - - const struct setting_parser_info auth_setting_parser_info = { -diff -up dovecot-2.2.36/src/auth/auth-settings.h.gidcheck dovecot-2.2.36/src/auth/auth-settings.h ---- dovecot-2.2.36/src/auth/auth-settings.h.gidcheck 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/auth-settings.h 2018-09-17 12:13:30.540159133 +0200 -@@ -88,6 +88,8 @@ struct auth_settings { - bool verbose_proctitle; - unsigned int first_valid_uid; - unsigned int last_valid_uid; -+ unsigned int first_valid_gid; -+ unsigned int last_valid_gid; - - /* generated: */ - char username_chars_map[256]; -diff -up dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck dovecot-2.2.36/src/auth/userdb-passwd.c ---- dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/userdb-passwd.c 2018-09-17 12:13:30.540159133 +0200 -@@ -145,6 +145,10 @@ passwd_iterate_want_pw(struct passwd *pw - return FALSE; - if (pw->pw_uid > (uid_t)set->last_valid_uid && set->last_valid_uid != 0) - return FALSE; -+ if (pw->pw_gid < (gid_t)set->first_valid_gid) -+ return FALSE; -+ if (pw->pw_gid > (gid_t)set->last_valid_gid && set->last_valid_gid != 0) -+ return FALSE; - return TRUE; - } - diff --git a/SOURCES/dovecot-2.2.13-online.patch b/SOURCES/dovecot-2.2.13-online.patch deleted file mode 100644 index be2c954..0000000 --- a/SOURCES/dovecot-2.2.13-online.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up dovecot-2.2.22/dovecot.service.in.online dovecot-2.2.22/dovecot.service.in ---- dovecot-2.2.22/dovecot.service.in.online 2016-03-16 13:47:47.112491206 +0100 -+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:48:14.339355363 +0100 -@@ -20,7 +20,7 @@ - Description=Dovecot IMAP/POP3 email server - Documentation=man:dovecot(1) - Documentation=http://wiki2.dovecot.org/ --After=local-fs.target network.target -+After=local-fs.target network-online.target - - [Service] - Type=forking diff --git a/SOURCES/dovecot-2.2.20-initbysystemd.patch b/SOURCES/dovecot-2.2.20-initbysystemd.patch index a0da58e..7e3d94c 100644 --- a/SOURCES/dovecot-2.2.20-initbysystemd.patch +++ b/SOURCES/dovecot-2.2.20-initbysystemd.patch @@ -1,10 +1,9 @@ -diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/dovecot-init.service ---- dovecot-2.2.22/dovecot-init.service.initbysystemd 2016-03-16 13:48:25.996297203 +0100 -+++ dovecot-2.2.22/dovecot-init.service 2016-03-16 13:48:25.996297203 +0100 -@@ -0,0 +1,18 @@ +diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service +--- dovecot-2.3.0.1/dovecot-init.service.initbysystemd 2018-03-01 10:38:22.059716008 +0100 ++++ dovecot-2.3.0.1/dovecot-init.service 2018-03-01 10:38:22.059716008 +0100 +@@ -0,0 +1,13 @@ +[Unit] +Description=One-time Dovecot init service -+ConditionPathExists=|!/var/lib/dovecot/ssl-parameters.dat +ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem + +[Service] @@ -14,16 +13,12 @@ diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/doveco +if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \ +then\ + SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\ -+fi;\ -+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \ -+then\ -+ /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \ +fi' + -diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in ---- dovecot-2.2.22/dovecot.service.in.initbysystemd 2016-03-16 13:48:25.996297203 +0100 -+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:17.619039641 +0100 -@@ -20,7 +20,8 @@ +diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in +--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 ++++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100 +@@ -8,7 +8,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=http://wiki2.dovecot.org/ @@ -32,11 +27,11 @@ diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot. +Requires=dovecot-init.service [Service] - Type=forking -diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am ---- dovecot-2.2.22/Makefile.am.initbysystemd 2016-03-04 12:04:33.000000000 +0100 -+++ dovecot-2.2.22/Makefile.am 2016-03-16 13:48:25.996297203 +0100 -@@ -51,9 +51,10 @@ if HAVE_SYSTEMD + Type=simple +diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am +--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100 +@@ -63,9 +63,10 @@ if HAVE_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ diff --git a/SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch b/SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch index 6fcddac..d00a9b9 100644 --- a/SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -1,14 +1,11 @@ -diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in ---- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100 -+++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100 -@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload +diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in +--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200 ++++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200 +@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes --# Enable this if your systemd is new enough to support it: --#ProtectSystem=full -+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot) -+ProtectSystem=full - - # You can add environment variables with e.g.: - #Environment='CORE_OUTOFMEM=1' ++# this will make /usr /boot /etc read only for dovecot + ProtectSystem=full + ProtectHome=no + PrivateDevices=true diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch deleted file mode 100644 index 7655fc6..0000000 --- a/SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Fri, 10 May 2019 19:24:51 +0300 -Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs - -IMAP doesn't allow NULs except in binary literals. We'll still allow them -in regular literals as well, but just not in strings. - -This fixes a bug with unescaping a string with NULs: str_unescape() could -have been called for memory that points outside the allocated string, -causing heap corruption. This could cause crashes or theoretically even -result in remote code execution exploit. - -Found by Nick Roessler and Rafi Rubin ---- - src/lib-imap/imap-parser.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c -index dddf55189..f41668d7a 100644 ---- a/src/lib-imap/imap-parser.c -+++ b/src/lib-imap/imap-parser.c -@@ -363,6 +363,11 @@ static bool imap_parser_read_string(struct imap_parser *parser, - break; - } - -+ if (data[i] == '\0') { -+ parser->error = "NULs not allowed in strings"; -+ return FALSE; -+ } -+ - if (data[i] == '\\') { - if (i+1 == data_size) { - /* known data ends with '\' - leave it to --- -2.11.0 - diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part2of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part2of4.patch deleted file mode 100644 index 65746d6..0000000 --- a/SOURCES/dovecot-2.2.36-cve2019_11500_part2of4.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a56b0636b1bf9c7677c6fca9681f48752af700a1 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Fri, 17 May 2019 10:33:53 +0300 -Subject: [PATCH 2/2] lib-imap: Make sure str_unescape() won't be writing past - allocated memory - -The previous commit should already prevent this, but this makes sure it -can't become broken in the future either. It makes the performance a tiny -bit worse, but that's not practically noticeable. ---- - src/lib-imap/imap-parser.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c -index f41668d7a..7f58d99e2 100644 ---- a/src/lib-imap/imap-parser.c -+++ b/src/lib-imap/imap-parser.c -@@ -267,10 +267,8 @@ static void imap_parser_save_arg(struct imap_parser *parser, - - /* remove the escapes */ - if (parser->str_first_escape >= 0 && -- (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) { -- /* -1 because we skipped the '"' prefix */ -- (void)str_unescape(str + parser->str_first_escape-1); -- } -+ (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) -+ (void)str_unescape(str); - arg->_data.str = str; - arg->str_len = strlen(str); - break; --- -2.11.0 - diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch deleted file mode 100644 index f04c7aa..0000000 --- a/SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7ce9990a5e6ba59e89b7fe1c07f574279aed922c Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Fri, 10 May 2019 19:43:55 +0300 -Subject: [PATCH 1/2] lib-managesieve: Don't accept strings with NULs - -ManageSieve doesn't allow NULs in strings. - -This fixes a bug with unescaping a string with NULs: str_unescape() could -have been called for memory that points outside the allocated string, -causing heap corruption. This could cause crashes or theoretically even -result in remote code execution exploit. - -Found by Nick Roessler and Rafi Rubin ---- - src/lib-managesieve/managesieve-parser.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/lib-managesieve/managesieve-parser.c b/src/lib-managesieve/managesieve-parser.c -index d3eb2101..f5f9d323 100644 ---- a/src/lib-managesieve/managesieve-parser.c -+++ b/src/lib-managesieve/managesieve-parser.c -@@ -258,6 +258,11 @@ managesieve_parser_read_string(struct managesieve_parser *parser, - break; - } - -+ if (data[i] == '\0') { -+ parser->error = "NULs not allowed in strings"; -+ return FALSE; -+ } -+ - if (data[i] == '\\') { - if (i+1 == data_size) { - /* known data ends with '\' - leave it to --- -2.11.0 - diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part4of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part4of4.patch deleted file mode 100644 index 6b0e101..0000000 --- a/SOURCES/dovecot-2.2.36-cve2019_11500_part4of4.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Fri, 17 May 2019 10:39:25 +0300 -Subject: [PATCH 2/2] lib-managesieve: Make sure str_unescape() won't be - writing past allocated memory - -The previous commit should already prevent this, but this makes sure it -can't become broken in the future either. It makes the performance a tiny -bit worse, but that's not practically noticeable. ---- - src/lib-managesieve/managesieve-parser.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/lib-managesieve/managesieve-parser.c b/src/lib-managesieve/managesieve-parser.c -index f5f9d323..dc7d1fa9 100644 ---- a/src/lib-managesieve/managesieve-parser.c -+++ b/src/lib-managesieve/managesieve-parser.c -@@ -169,10 +169,8 @@ static void managesieve_parser_save_arg(struct managesieve_parser *parser, - - /* remove the escapes */ - if (parser->str_first_escape >= 0 && -- (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) { -- /* -1 because we skipped the '"' prefix */ -- str_unescape(str + parser->str_first_escape-1); -- } -+ (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) -+ (void)str_unescape(str); - - arg->_data.str = str; - arg->str_len = strlen(str); --- -2.11.0 - diff --git a/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch b/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch deleted file mode 100644 index 7701369..0000000 --- a/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch +++ /dev/null @@ -1,69 +0,0 @@ -From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Mon, 21 Jan 2019 11:36:30 +0200 -Subject: [PATCH] login-common: Ensure we get username from certificate - ---- - src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++-- - 1 file changed, 40 insertions(+), 2 deletions(-) - -diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c -index a833c9a6d4..9465da9657 100644 ---- a/src/login-common/sasl-server.c -+++ b/src/login-common/sasl-server.c -@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request, - } - } - -+static bool get_cert_username(struct client *client, const char **username_r, -+ const char **error_r) -+{ -+ /* no SSL */ -+ if (client->ssl_proxy == NULL) { -+ *username_r = NULL; -+ return TRUE; -+ } -+ -+ /* no client certificate */ -+ if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) { -+ *username_r = NULL; -+ return TRUE; -+ } -+ -+ /* get peer name */ -+ const char *username = ssl_proxy_get_peer_name(client->ssl_proxy); -+ -+ /* if we wanted peer name, but it was not there, fail */ -+ if (client->set->auth_ssl_username_from_cert && -+ (username == NULL || *username == '\0')) { -+ if (client->set->auth_ssl_require_client_cert) { -+ *error_r = "Missing username in certificate"; -+ return FALSE; -+ } -+ } -+ -+ *username_r = username; -+ return TRUE; -+} -+ - void sasl_server_auth_begin(struct client *client, - const char *service, const char *mech_name, - const char *initial_resp_base64, -@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client, - info.mech = mech->name; - info.service = service; - info.session_id = client_get_session_id(client); -- info.cert_username = client->ssl_proxy == NULL ? NULL : -- ssl_proxy_get_peer_name(client->ssl_proxy); -+ if (client->set->auth_ssl_username_from_cert) { -+ const char *error; -+ if (!get_cert_username(client, &info.cert_username, &error)) { -+ client_log_err(client, t_strdup_printf("Cannot get username " -+ "from certificate: %s", error)); -+ sasl_server_auth_failed(client, "Unable to validate certificate"); -+ return; -+ } -+ } - info.flags = client_get_auth_flags(client); - info.local_ip = client->local_ip; - info.remote_ip = client->ip; diff --git a/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch b/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch deleted file mode 100644 index ea4487e..0000000 --- a/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7525fece60f01b52deb13df3620976ee1d616837 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Mon, 21 Jan 2019 10:54:06 +0200 -Subject: [PATCH] auth: Fail authentication if certificate username was - unexpectedly missing - ---- - src/auth/auth-request-handler.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c -index 617dc1883d..3044e94f91 100644 ---- a/src/auth/auth-request-handler.c -+++ b/src/auth/auth-request-handler.c -@@ -560,6 +560,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler, - return TRUE; - } - -+ if (request->set->ssl_require_client_cert && -+ request->set->ssl_username_from_cert && -+ !request->cert_username) { -+ auth_request_handler_auth_fail(handler, request, -+ "SSL certificate didn't contain username"); -+ return TRUE; -+ } -+ - /* Empty initial response is a "=" base64 string. Completely empty - string shouldn't really be sent, but at least Exim does it, - so just allow it for backwards compatibility.. */ diff --git a/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch b/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch deleted file mode 100644 index 7e1a13c..0000000 --- a/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch +++ /dev/null @@ -1,22 +0,0 @@ -From e5d428297d70e3ac8b6dfce7e0de182b86825082 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Wed, 16 Jan 2019 18:28:57 +0200 -Subject: [PATCH] auth: Do not import empty certificate username - ---- - src/auth/auth-request.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c -index dd288b6d23..1cb665ec8c 100644 ---- a/src/auth/auth-request.c -+++ b/src/auth/auth-request.c -@@ -445,7 +445,7 @@ bool auth_request_import_auth(struct auth_request *request, - else if (strcmp(key, "valid-client-cert") == 0) - request->valid_client_cert = TRUE; - else if (strcmp(key, "cert_username") == 0) { -- if (request->set->ssl_username_from_cert) { -+ if (request->set->ssl_username_from_cert && *value != '\0') { - /* get username from SSL certificate. it overrides - the username given by the auth mechanism. */ - request->user = p_strdup(request->pool, value); diff --git a/SOURCES/dovecot-2.2.36-getpwentreset.patch b/SOURCES/dovecot-2.2.36-getpwentreset.patch deleted file mode 100644 index d1c505a..0000000 --- a/SOURCES/dovecot-2.2.36-getpwentreset.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up dovecot-2.2.36/src/auth/userdb-passwd.c.getpwentreset dovecot-2.2.36/src/auth/userdb-passwd.c ---- dovecot-2.2.36/src/auth/userdb-passwd.c.getpwentreset 2019-08-20 16:56:19.706885908 +0200 -+++ dovecot-2.2.36/src/auth/userdb-passwd.c 2019-08-20 16:56:25.422867784 +0200 -@@ -173,6 +173,9 @@ static void passwd_iterate_next(struct u - _ctx->callback(pw->pw_name, _ctx->context); - return; - } -+ /* getpwent might set errno to something even if it -+ returns non-NULL. */ -+ errno = 0; - } - if (errno != 0) { - i_error("getpwent() failed: %m"); diff --git a/SOURCES/dovecot-2.3.6-opensslhmac.patch b/SOURCES/dovecot-2.3.6-opensslhmac.patch index 5b6cf61..18b9904 100644 --- a/SOURCES/dovecot-2.3.6-opensslhmac.patch +++ b/SOURCES/dovecot-2.3.6-opensslhmac.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/auth/auth-token.c ---- dovecot-2.2.36/src/auth/auth-token.c.opensslhmac 2018-04-30 15:52:04.000000000 +0200 -+++ dovecot-2.2.36/src/auth/auth-token.c 2019-06-10 15:38:38.834070480 +0200 -@@ -163,17 +163,17 @@ void auth_token_deinit(void) +diff -up dovecot-2.3.8/src/auth/auth-token.c.opensslhmac dovecot-2.3.8/src/auth/auth-token.c +--- dovecot-2.3.8/src/auth/auth-token.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/auth/auth-token.c 2019-11-19 16:34:11.338037002 +0100 +@@ -161,17 +161,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) { @@ -26,9 +26,9 @@ diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/aut return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/auth/mech-cram-md5.c ---- dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/mech-cram-md5.c 2019-06-10 15:38:38.834070480 +0200 +diff -up dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.8/src/auth/mech-cram-md5.c +--- dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/auth/mech-cram-md5.c 2019-11-19 16:34:11.338037002 +0100 @@ -51,7 +51,7 @@ static bool verify_credentials(struct cr { @@ -52,9 +52,9 @@ diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/ response_hex = binary_to_hex(digest, sizeof(digest)); -diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/src/auth/mech-scram-sha1.c ---- dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/mech-scram-sha1.c 2019-06-10 15:38:38.834070480 +0200 +diff -up dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.3.8/src/auth/mech-scram-sha1.c +--- dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/auth/mech-scram-sha1.c 2019-11-19 16:34:11.338037002 +0100 @@ -71,7 +71,7 @@ static const char *get_scram_server_firs static const char *get_scram_server_final(struct scram_auth_request *request) @@ -101,26 +101,26 @@ diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/sr for (i = 0; i < sizeof(client_signature); i++) client_key[i] = -diff -up dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme.c ---- dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/password-scheme.c 2019-06-10 15:38:38.834070480 +0200 -@@ -655,11 +655,11 @@ static void - cram_md5_generate(const char *plaintext, const char *user ATTR_UNUSED, +diff -up dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme.c +--- dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/auth/password-scheme.c 2019-11-19 16:34:11.339036998 +0100 +@@ -647,11 +647,11 @@ static void + cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) { - struct hmac_context ctx; + struct orig_hmac_context ctx; unsigned char *context_digest; - context_digest = t_malloc(CRAM_MD5_CONTEXTLEN); + context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); - hmac_init(&ctx, (const unsigned char *)plaintext, + orig_hmac_init(&ctx, (const unsigned char *)plaintext, strlen(plaintext), &hash_method_md5); hmac_md5_get_cram_context(&ctx, context_digest); -diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme-scram.c ---- dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/auth/password-scheme-scram.c 2019-06-10 15:38:38.834070480 +0200 +diff -up dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme-scram.c +--- dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/auth/password-scheme-scram.c 2019-11-19 16:34:11.339036998 +0100 @@ -27,23 +27,23 @@ static void Hi(const unsigned char *str, const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char result[SHA1_RESULTLEN]) @@ -213,10 +213,10 @@ diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2 str_append_c(str, ','); base64_encode(server_key, sizeof(server_key), str); -diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c ---- dovecot-2.2.36/src/lib/hmac.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/lib/hmac.c 2019-06-10 15:38:38.834070480 +0200 -@@ -7,15 +7,74 @@ +diff -up dovecot-2.3.8/src/lib/hmac.c.opensslhmac dovecot-2.3.8/src/lib/hmac.c +--- dovecot-2.3.8/src/lib/hmac.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/hmac.c 2019-11-19 17:25:28.045716181 +0100 +@@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -227,7 +227,9 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c #include "lib.h" #include "hmac.h" #include "safe-memset.h" - #include "buffer.h" +@@ -14,10 +18,65 @@ + + #include "hex-binary.h" -void hmac_init(struct hmac_context *_ctx, const unsigned char *key, +#ifndef HAVE_HMAC_CTX_NEW @@ -243,13 +245,14 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c + + +void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, -+ size_t key_len, const struct hash_method *meth) -+{ + size_t key_len, const struct hash_method *meth) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; + struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; + + const EVP_MD *md; -+ const char *ebuf = NULL; -+ const char **error_r = &ebuf; ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; + + md = EVP_get_digestbyname(meth->name); + if(md == NULL) { @@ -272,9 +275,8 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c +} + +void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, - size_t key_len, const struct hash_method *meth) - { -- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ size_t key_len, const struct hash_method *meth) ++{ + static int no_fips = -1; + if (no_fips == -1) { + int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); @@ -293,7 +295,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c int i; unsigned char k_ipad[64]; unsigned char k_opad[64]; -@@ -51,9 +110,27 @@ void hmac_init(struct hmac_context *_ctx +@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx safe_memset(k_opad, 0, 64); } @@ -323,7 +325,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c ctx->hash->result(ctx->ctx, digest); -@@ -61,35 +138,35 @@ void hmac_final(struct hmac_context *_ct +@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct ctx->hash->result(ctx->ctxo, digest); } @@ -338,7 +340,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c i_assert(key != NULL && key_len > 0); i_assert(data != NULL || data_len == 0); - buffer_t *res = buffer_create_dynamic(pool_datastack_create(), meth->digest_size); + buffer_t *res = t_buffer_create(meth->digest_size); - hmac_init(&ctx, key, key_len, meth); + openssl_hmac_init(&ctx, key, key_len, meth); if (data_len > 0) @@ -368,9 +370,92 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c + return openssl_t_hmac_data(meth, key, key_len, data, strlen(data)); } -diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.c ---- dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac 2017-06-23 13:18:28.000000000 +0200 -+++ dovecot-2.2.36/src/lib/hmac-cram-md5.c 2019-06-10 15:38:38.835070476 +0200 +-void hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + buffer_t *okm_r, size_t okm_len) + { ++ const EVP_MD *md; ++ EVP_PKEY_CTX *pctx; ++ int r = 1; ++ + i_assert(method != NULL); + i_assert(okm_len < 255*method->digest_size); +- struct hmac_context key_mac; +- struct hmac_context info_mac; +- size_t remain = okm_len; +- unsigned char prk[method->digest_size]; +- unsigned char okm[method->digest_size]; +- /* N = ceil(L/HashLen) */ +- unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size; + + /* salt and info can be NULL */ + i_assert(salt != NULL || salt_len == 0); +@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method + i_assert(ikm != NULL && ikm_len > 0); + i_assert(okm_r != NULL && okm_len > 0); + +- /* but they still need valid pointer, reduces +- complains from static analysers */ +- if (salt == NULL) +- salt = &uchar_nul; +- if (info == NULL) +- info = &uchar_nul; +- +- /* extract */ +- hmac_init(&key_mac, salt, salt_len, method); +- hmac_update(&key_mac, ikm, ikm_len); +- hmac_final(&key_mac, prk); +- +- /* expand */ +- for (unsigned int i = 0; remain > 0 && i < rounds; i++) { +- unsigned char round = (i+1); +- size_t amt = remain; +- if (amt > method->digest_size) +- amt = method->digest_size; +- hmac_init(&info_mac, prk, method->digest_size, method); +- if (i > 0) +- hmac_update(&info_mac, okm, method->digest_size); +- hmac_update(&info_mac, info, info_len); +- hmac_update(&info_mac, &round, 1); +- memset(okm, 0, method->digest_size); +- hmac_final(&info_mac, okm); +- buffer_append(okm_r, okm, amt); +- remain -= amt; ++ ++ md = EVP_get_digestbyname(method->name); ++ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); ++ unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len); ++ ++ if ((r=EVP_PKEY_derive_init(pctx)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0) ++ goto out; ++ ++ out: ++ EVP_PKEY_CTX_free(pctx); ++ if (r <= 0) { ++ unsigned long ec = ERR_get_error(); ++ unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL)); ++ i_error("%s", error); + } + +- safe_memset(prk, 0, sizeof(prk)); +- safe_memset(okm, 0, sizeof(okm)); + } +diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.c +--- dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/hmac-cram-md5.c 2019-11-19 16:34:11.339036998 +0100 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -397,9 +482,9 @@ diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/l const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.h ---- dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac 2017-06-23 13:18:28.000000000 +0200 -+++ dovecot-2.2.36/src/lib/hmac-cram-md5.h 2019-06-10 15:38:38.835070476 +0200 +diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.h +--- dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/hmac-cram-md5.h 2019-11-19 16:34:11.339036998 +0100 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -412,15 +497,16 @@ diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/l const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h ---- dovecot-2.2.36/src/lib/hmac.h.opensslhmac 2017-06-23 13:18:28.000000000 +0200 -+++ dovecot-2.2.36/src/lib/hmac.h 2019-06-10 15:38:38.835070476 +0200 -@@ -3,43 +3,98 @@ +diff -up dovecot-2.3.8/src/lib/hmac.h.opensslhmac dovecot-2.3.8/src/lib/hmac.h +--- dovecot-2.3.8/src/lib/hmac.h.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/hmac.h 2019-11-19 16:34:11.339036998 +0100 +@@ -3,60 +3,97 @@ #include "hash-method.h" #include "sha1.h" +#include +#include ++#include +#include #define HMAC_MAX_CONTEXT_SIZE 256 @@ -459,8 +545,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h -void hmac_init(struct hmac_context *ctx, const unsigned char *key, +void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key, - size_t key_len, const struct hash_method *meth); --void hmac_final(struct hmac_context *ctx, unsigned char *digest); ++ size_t key_len, const struct hash_method *meth); +void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest); + +static inline void @@ -477,7 +562,8 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h +} + +void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key, -+ size_t key_len, const struct hash_method *meth); + size_t key_len, const struct hash_method *meth); +-void hmac_final(struct hmac_context *ctx, unsigned char *digest); +void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest); @@ -504,30 +590,31 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h const unsigned char *key, size_t key_len, const char *data); -+ -+#if 0 -+static bool dcrypt_openssl_error(const char **error_r) -+{ -+ unsigned long ec; -+ -+ if (error_r == NULL) { -+ /* caller is not really interested */ -+ return FALSE; -+ } -+ -+ ec = ERR_get_error(); -+ *error_r = t_strdup_printf("%s", ERR_error_string(ec, NULL)); -+ return FALSE; -+} -+#endif -+ -+ -+ - #endif -diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c 2019-06-10 15:38:38.835070476 +0200 -@@ -83,15 +83,15 @@ imap_urlauth_internal_generate(const cha +-void hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + buffer_t *okm_r, size_t okm_len); + + static inline buffer_t * +-t_hmac_hkdf(const struct hash_method *method, ++openssl_t_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + size_t okm_len) + { + buffer_t *okm_buffer = t_buffer_create(okm_len); +- hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len, ++ openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len, + okm_buffer, okm_len); + return okm_buffer; + } +diff -up dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c 2019-11-19 16:34:11.339036998 +0100 +@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) { @@ -547,10 +634,10 @@ diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot- *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/Makefile.am ---- dovecot-2.2.36/src/lib/Makefile.am.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/lib/Makefile.am 2019-06-10 15:42:28.810140696 +0200 -@@ -306,6 +306,9 @@ headers = \ +diff -up dovecot-2.3.8/src/lib/Makefile.am.opensslhmac dovecot-2.3.8/src/lib/Makefile.am +--- dovecot-2.3.8/src/lib/Makefile.am.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/Makefile.am 2019-11-19 16:34:11.340036994 +0100 +@@ -323,6 +323,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -560,17 +647,9 @@ diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/M test_programs = test-lib noinst_PROGRAMS = $(test_programs) -@@ -335,6 +338,7 @@ test_lib_SOURCES = \ - test-hash-format.c \ - test-hash-method.c \ - test-hex-binary.c \ -+ test-hmac.c \ - test-imem.c \ - test-ioloop.c \ - test-iso8601-date.c \ -diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c ---- dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200 -+++ dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c 2019-06-10 15:38:38.835070476 +0200 +diff -up dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c +--- dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c 2019-11-19 16:34:11.340036994 +0100 @@ -61,12 +61,12 @@ void ntlm_v1_hash(const char *passwd, un } @@ -578,7 +657,7 @@ diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/s -hmac_md5_ucs2le_string_ucase(struct hmac_context *ctx, const char *str) -{ - size_t len; -- unsigned char *wstr = t_unicode_str(str, 1, &len); +- unsigned char *wstr = t_unicode_str(str, TRUE, &len); - - hmac_update(ctx, wstr, len); +hmac_md5_ucs2le_string_ucase(struct openssl_hmac_context *ctx, const char *str) @@ -628,9 +707,9 @@ diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/s safe_memset(hash, 0, sizeof(hash)); } -diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5.c ---- dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac 2018-04-30 15:52:04.000000000 +0200 -+++ dovecot-2.2.36/src/lib/pkcs5.c 2019-06-10 15:38:38.835070476 +0200 +diff -up dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac dovecot-2.3.8/src/lib/pkcs5.c +--- dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/pkcs5.c 2019-11-19 16:34:11.340036994 +0100 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -665,121 +744,49 @@ diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5 for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac dovecot-2.2.36/src/lib/test-hmac.c ---- dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac 2019-06-10 15:43:02.847003098 +0200 -+++ dovecot-2.2.36/src/lib/test-hmac.c 2019-06-10 14:00:52.000000000 +0200 -@@ -0,0 +1,103 @@ -+/* Copyright (c) 2016-2018 Dovecot authors, see the included COPYING file */ -+ -+#include "test-lib.h" -+#include "hash-method.h" -+#include "hmac.h" -+#include "sha-common.h" -+#include "buffer.h" -+ -+struct test_vector { -+ const char *prf; -+ const unsigned char *key; -+ size_t key_len; -+ const unsigned char *data; -+ size_t data_len; -+ const unsigned char *res; -+ size_t res_len; -+}; -+ -+#define TEST_BUF(x) (const unsigned char*)x, sizeof(x)-1 -+ -+/* RFC 4231 test vectors */ -+static const struct test_vector test_vectors[] = { -+ /* Test Case 1 */ -+ { "sha256", -+ TEST_BUF("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"), -+ TEST_BUF("Hi There"), -+ TEST_BUF("\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7") -+ }, -+ /* Test Case 2 */ -+ { "sha256", -+ TEST_BUF("\x4a\x65\x66\x65"), /* "Jefe" */ -+ TEST_BUF("what do ya want for nothing?"), -+ TEST_BUF("\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43") -+ }, -+ /* Test Case 3 */ -+ { "sha256", -+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), -+ TEST_BUF("\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"), -+ TEST_BUF("\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5\x65\xfe") -+ }, -+ /* Test Case 4 */ -+ { "sha256", -+ TEST_BUF("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"), -+ TEST_BUF("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"), -+ TEST_BUF("\x82\x55\x8a\x38\x9a\x44\x3c\x0e\xa4\xcc\x81\x98\x99\xf2\x08\x3a\x85\xf0\xfa\xa3\xe5\x78\xf8\x07\x7a\x2e\x3f\xf4\x67\x29\x66\x5b") -+ }, -+ /* Test Case 5 */ -+ { "sha256", -+ TEST_BUF("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), -+ TEST_BUF("\x54\x65\x73\x74\x20\x57\x69\x74\x68\x20\x54\x72\x75\x6e\x63\x61\x74\x69\x6f\x6e"), /* "Test With Truncation" */ -+ TEST_BUF("\xa3\xb6\x16\x74\x73\x10\x0e\xe0\x6e\x0c\x79\x6c\x29\x55\x55\x2b") -+ }, -+ /* Test Case 6 */ -+ { "sha256", -+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), -+ TEST_BUF("\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74"), /* "Test Using Larger Than Block-Size Key - Hash Key First" */ -+ TEST_BUF("\x60\xe4\x31\x59\x1e\xe0\xb6\x7f\x0d\x8a\x26\xaa\xcb\xf5\xb7\x7f\x8e\x0b\xc6\x21\x37\x28\xc5\x14\x05\x46\x04\x0f\x0e\xe3\x7f\x54") -+ }, -+ /* Test Case 7 */ -+ { "sha256", -+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), -+ TEST_BUF("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"), -+ /* "This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm." */ -+ TEST_BUF("\x9b\x09\xff\xa7\x1b\x94\x2f\xcb\x27\x63\x5f\xbc\xd5\xb0\xe9\x44\xbf\xdc\x63\x64\x4f\x07\x13\x93\x8a\x7f\x51\x53\x5c\x3a\x35\xe2") -+ } -+}; -+ -+static void test_hmac_rfc(void) -+{ -+ test_begin("hmac sha256 rfc4231 vectors"); -+ for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { -+ const struct test_vector *vec = &(test_vectors[i]); +diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/test-hmac.c +--- dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200 ++++ dovecot-2.3.8/src/lib/test-hmac.c 2019-11-19 16:34:11.340036994 +0100 +@@ -112,11 +112,11 @@ static void test_hmac_rfc(void) + test_begin("hmac sha256 rfc4231 vectors"); + for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { + const struct test_vector *vec = &(test_vectors[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); + struct openssl_hmac_context ctx; + openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); + openssl_hmac_update(&ctx, vec->data, vec->data_len); -+ unsigned char res[SHA256_RESULTLEN]; + unsigned char res[SHA256_RESULTLEN]; +- hmac_final(&ctx, res); + openssl_hmac_final(&ctx, res); -+ test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); -+ } -+ test_end(); -+} -+ -+static void test_hmac_buffer(void) -+{ -+ const struct test_vector *vec = &(test_vectors[0]); -+ test_begin("hmac temporary buffer"); -+ -+ buffer_t *tmp; -+ + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -129,7 +129,7 @@ static void test_hmac_buffer(void) + + buffer_t *tmp; + +- tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len, + tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len, -+ vec->data, vec->data_len); -+ -+ test_assert(tmp->used == vec->res_len && -+ memcmp(tmp->data, vec->res, vec->res_len) == 0); -+ -+ test_end(); -+} -+ -+void test_hmac(void) -+{ -+ test_hmac_rfc(); -+ test_hmac_buffer(); -+} -diff -up dovecot-2.2.36/src/lib/test-lib.h.opensslhmac dovecot-2.2.36/src/lib/test-lib.h ---- dovecot-2.2.36/src/lib/test-lib.h.opensslhmac 2019-06-10 15:41:57.155268669 +0200 -+++ dovecot-2.2.36/src/lib/test-lib.h 2019-06-10 15:41:57.194268512 +0200 -@@ -20,6 +20,7 @@ void test_failures(void); - void test_file_create_locked(void); - void test_guid(void); - void test_hash(void); -+void test_hmac(void); - void test_hash_format(void); - void test_hash_method(void); - void test_hex_binary(void); + vec->data, vec->data_len); + + test_assert(tmp->used == vec->res_len && +@@ -146,7 +146,7 @@ static void test_hkdf_rfc(void) + buffer_set_used_size(res, 0); + const struct test_vector_5869 *vec = &(test_vectors_5869[i]); + const struct hash_method *m = hash_method_lookup(vec->prf); +- hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len, ++ openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len, + vec->info, vec->info_len, res, vec->okm_len); + test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i); + } +@@ -159,7 +159,7 @@ static void test_hkdf_buffer(void) + test_begin("hkdf temporary buffer"); + const struct test_vector_5869 *vec = &(test_vectors_5869[0]); + const struct hash_method *m = hash_method_lookup(vec->prf); +- buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, ++ buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, + vec->ikm_len, vec->info, vec->info_len, + vec->okm_len); + test_assert(tmp->used == vec->okm_len && diff --git a/SPECS/dovecot.spec b/SPECS/dovecot.spec index 6531ab3..0b2e247 100644 --- a/SPECS/dovecot.spec +++ b/SPECS/dovecot.spec @@ -3,19 +3,19 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.36 +Version: 2.3.8 %global prever %{nil} -Release: 10%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons URL: http://www.dovecot.org/ -Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz +Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.24 -Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever 0.5.8 +Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -29,7 +29,6 @@ Patch3: dovecot-1.0.rc7-mkcert-paths.patch #wait for network Patch6: dovecot-2.1.10-waitonline.patch -Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch @@ -38,23 +37,12 @@ Patch10: dovecot-2.3.0.1-libxcrypt.patch # sent upstream, rhbz#1630380 Patch11: dovecot-2.2.36-aclfix.patch -# dovecot < 2.3, rhbz#1280436 -Patch12: dovecot-2.2-gidcheck.patch Patch13: dovecot-2.2.36-bigkey.patch # do not use own implementation of HMAC, use OpenSSL for certification purposes # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # hard to break circular dependency between lib and lib-dcrypt Patch14: dovecot-2.3.6-opensslhmac.patch -Patch15: dovecot-2.2.36-cve_2019_3814part1of3.patch -Patch16: dovecot-2.2.36-cve_2019_3814part2of3.patch -Patch17: dovecot-2.2.36-cve_2019_3814part3of3.patch -Patch18: dovecot-2.2.36-getpwentreset.patch -Patch19: dovecot-2.2.36-cve2019_11500_part1of4.patch -Patch20: dovecot-2.2.36-cve2019_11500_part2of4.patch -Patch21: dovecot-2.2.36-cve2019_11500_part3of4.patch -Patch22: dovecot-2.2.36-cve2019_11500_part4of4.patch - Source15: prestartscript @@ -62,11 +50,17 @@ BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel BuildRequires: postgresql-devel +#BuildRequires: libpq-devel BuildRequires: mariadb-connector-c-devel +#BuildRequires: libxcrypt-devel BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: lz4-devel +#BuildRequires: libsodium-devel +#BuildRequires: libexttextcat-devel +#BuildRequires: libstemmer-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -148,23 +142,14 @@ This package provides the development files for dovecot. %patch2 -p1 -b .mkcert-permissions %patch3 -p1 -b .mkcert-paths %patch6 -p1 -b .waitonline -%patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .libxcrypt +#%patch10 -p1 -b .libxcrypt %patch11 -p1 -b .aclfix -%patch12 -p1 -b .gidcheck %patch13 -p1 -b .bigkey %patch14 -p1 -b .opensslhmac -%patch15 -p1 -b .cve_2019_3814part1of3 -%patch16 -p1 -b .cve_2019_3814part2of3 -%patch17 -p1 -b .cve_2019_3814part3of3 -%patch18 -p1 -b .getpwentreset -%patch19 -p1 -b .cve2019_11500_part1of4 -%patch20 -p1 -b .cve2019_11500_part2of4 -pushd dovecot-2*2-pigeonhole-%{pigeonholever} -%patch21 -p1 -b .cve2019_11500_part3of4 -%patch22 -p1 -b .cve2019_11500_part4of4 +pushd dovecot-2*3-pigeonhole-%{pigeonholever} + popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -172,7 +157,7 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" # el6 autoconf too old to regen; use packaged files (#1082384) %if %{?fedora}00%{?rhel} > 6 @@ -207,7 +192,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10 make %{?_smp_mflags} #pigeonhole -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-2*3-pigeonhole-%{pigeonholever} # required for snapshot [ -f configure ] || autoreconf -fiv @@ -231,7 +216,7 @@ make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-2*3-pigeonhole-%{pigeonholever} make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -327,7 +312,7 @@ fi install -d -m 0755 -g dovecot -d /var/run/dovecot install -d -m 0755 -d /var/run/dovecot/empty install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login +install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login [ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||: %preun @@ -370,7 +355,7 @@ fi %check make check -cd dovecot-2*2-pigeonhole-%{pigeonholever} +cd dovecot-2*3-pigeonhole-%{pigeonholever} make check %files @@ -407,6 +392,7 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-submission.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf @@ -433,7 +419,6 @@ make check %dir %{_libdir}/dovecot %dir %{_libdir}/dovecot/auth %dir %{_libdir}/dovecot/dict -%dir %{_libdir}/dovecot/stats %{_libdir}/dovecot/doveadm %exclude %{_libdir}/dovecot/doveadm/*sieve* %{_libdir}/dovecot/*.so.* @@ -447,8 +432,6 @@ make check %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdict_ldap.so -%{_libdir}/dovecot/stats/libstats_auth.so -%{_libdir}/dovecot/stats/libstats_mail.so %{_libdir}/dovecot/libdriver_sqlite.so %{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libfs_compress.so @@ -456,6 +439,8 @@ make check %{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so %{_libdir}/dovecot/lib20_var_expand_crypt.so +%{_libdir}/dovecot/old-stats/libold_stats_mail.so +%{_libdir}/dovecot/old-stats/libstats_auth.so %dir %{_libdir}/dovecot/settings @@ -464,6 +449,7 @@ make check %attr(0755,root,dovecot) %ghost /var/run/dovecot %attr(0750,root,dovenull) %ghost /var/run/dovecot/login +%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login %attr(0755,root,root) %ghost /var/run/dovecot/empty %attr(0750,dovecot,dovecot) /var/lib/dovecot @@ -521,6 +507,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jan 09 2020 Michal Hlavinka - 1:2.3.8-2 +- fix default attributes for ghost files + +* Tue Nov 19 2019 Michal Hlavinka - 1:2.3.8-1 +- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117) + * Thu Aug 29 2019 Michal Hlavinka - 1:2.2.36-10 - fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap @@ -639,7 +631,7 @@ make check imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to not work perfectly. - mdbox: "Inconsistency in map index" wasn't fixed automatically -- dict-ldap: %variable values used in the LDAP filter weren't escaped. +- dict-ldap: %%variable values used in the LDAP filter weren't escaped. - quota=count: quota_warning = -storage=.. was never executed (try #2). - imapc: >= 32 kB mail bodies were supposed to be cached for subsequent FETCHes, but weren't.