diff --git a/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch b/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch new file mode 100644 index 0000000..7701369 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch @@ -0,0 +1,69 @@ +From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Mon, 21 Jan 2019 11:36:30 +0200 +Subject: [PATCH] login-common: Ensure we get username from certificate + +--- + src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++-- + 1 file changed, 40 insertions(+), 2 deletions(-) + +diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c +index a833c9a6d4..9465da9657 100644 +--- a/src/login-common/sasl-server.c ++++ b/src/login-common/sasl-server.c +@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request, + } + } + ++static bool get_cert_username(struct client *client, const char **username_r, ++ const char **error_r) ++{ ++ /* no SSL */ ++ if (client->ssl_proxy == NULL) { ++ *username_r = NULL; ++ return TRUE; ++ } ++ ++ /* no client certificate */ ++ if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) { ++ *username_r = NULL; ++ return TRUE; ++ } ++ ++ /* get peer name */ ++ const char *username = ssl_proxy_get_peer_name(client->ssl_proxy); ++ ++ /* if we wanted peer name, but it was not there, fail */ ++ if (client->set->auth_ssl_username_from_cert && ++ (username == NULL || *username == '\0')) { ++ if (client->set->auth_ssl_require_client_cert) { ++ *error_r = "Missing username in certificate"; ++ return FALSE; ++ } ++ } ++ ++ *username_r = username; ++ return TRUE; ++} ++ + void sasl_server_auth_begin(struct client *client, + const char *service, const char *mech_name, + const char *initial_resp_base64, +@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client, + info.mech = mech->name; + info.service = service; + info.session_id = client_get_session_id(client); +- info.cert_username = client->ssl_proxy == NULL ? NULL : +- ssl_proxy_get_peer_name(client->ssl_proxy); ++ if (client->set->auth_ssl_username_from_cert) { ++ const char *error; ++ if (!get_cert_username(client, &info.cert_username, &error)) { ++ client_log_err(client, t_strdup_printf("Cannot get username " ++ "from certificate: %s", error)); ++ sasl_server_auth_failed(client, "Unable to validate certificate"); ++ return; ++ } ++ } + info.flags = client_get_auth_flags(client); + info.local_ip = client->local_ip; + info.remote_ip = client->ip; diff --git a/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch b/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch new file mode 100644 index 0000000..ea4487e --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch @@ -0,0 +1,29 @@ +From 7525fece60f01b52deb13df3620976ee1d616837 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Mon, 21 Jan 2019 10:54:06 +0200 +Subject: [PATCH] auth: Fail authentication if certificate username was + unexpectedly missing + +--- + src/auth/auth-request-handler.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c +index 617dc1883d..3044e94f91 100644 +--- a/src/auth/auth-request-handler.c ++++ b/src/auth/auth-request-handler.c +@@ -560,6 +560,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler, + return TRUE; + } + ++ if (request->set->ssl_require_client_cert && ++ request->set->ssl_username_from_cert && ++ !request->cert_username) { ++ auth_request_handler_auth_fail(handler, request, ++ "SSL certificate didn't contain username"); ++ return TRUE; ++ } ++ + /* Empty initial response is a "=" base64 string. Completely empty + string shouldn't really be sent, but at least Exim does it, + so just allow it for backwards compatibility.. */ diff --git a/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch b/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch new file mode 100644 index 0000000..7e1a13c --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch @@ -0,0 +1,22 @@ +From e5d428297d70e3ac8b6dfce7e0de182b86825082 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 16 Jan 2019 18:28:57 +0200 +Subject: [PATCH] auth: Do not import empty certificate username + +--- + src/auth/auth-request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c +index dd288b6d23..1cb665ec8c 100644 +--- a/src/auth/auth-request.c ++++ b/src/auth/auth-request.c +@@ -445,7 +445,7 @@ bool auth_request_import_auth(struct auth_request *request, + else if (strcmp(key, "valid-client-cert") == 0) + request->valid_client_cert = TRUE; + else if (strcmp(key, "cert_username") == 0) { +- if (request->set->ssl_username_from_cert) { ++ if (request->set->ssl_username_from_cert && *value != '\0') { + /* get username from SSL certificate. it overrides + the username given by the auth mechanism. */ + request->user = p_strdup(request->pool, value); diff --git a/SOURCES/dovecot-2.2.36-cve_2019_7524part1of2.patch b/SOURCES/dovecot-2.2.36-cve_2019_7524part1of2.patch new file mode 100644 index 0000000..8176880 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve_2019_7524part1of2.patch @@ -0,0 +1,32 @@ +From fcd786753b2ba6b4fb82cc2affea8e0d61889c95 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Mon, 4 Feb 2019 19:23:02 -0800 +Subject: [PATCH] lib-storage: Fix buffer overflow when reading oversized + hdr-pop3-uidl header + +--- + src/lib-storage/index/index-pop3-uidl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib-storage/index/index-pop3-uidl.c b/src/lib-storage/index/index-pop3-uidl.c +index 13b7363ef6..e537e9ff51 100644 +--- a/src/lib-storage/index/index-pop3-uidl.c ++++ b/src/lib-storage/index/index-pop3-uidl.c +@@ -37,7 +37,7 @@ bool index_pop3_uidl_can_exist(struct mail *mail) + /* this header isn't set yet */ + return TRUE; + } +- memcpy(&uidl, data, size); ++ memcpy(&uidl, data, sizeof(uidl)); + return mail->uid <= uidl.max_uid_with_pop3_uidl; + } + +@@ -95,7 +95,7 @@ void index_pop3_uidl_update_exists_finish(struct mailbox_transaction_context *tr + + /* check if we have already the same header */ + if (size >= sizeof(uidl)) { +- memcpy(&uidl, data, size); ++ memcpy(&uidl, data, sizeof(uidl)); + if (trans->highest_pop3_uidl_uid == uidl.max_uid_with_pop3_uidl) + return; + } diff --git a/SOURCES/dovecot-2.2.36-cve_2019_7524part2of2.patch b/SOURCES/dovecot-2.2.36-cve_2019_7524part2of2.patch new file mode 100644 index 0000000..878a4aa --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve_2019_7524part2of2.patch @@ -0,0 +1,22 @@ +From df17cee615377f2474c86eb6a5b3fe5caa8b70fe Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Mon, 4 Feb 2019 19:25:13 -0800 +Subject: [PATCH] fts: Fix buffer overflow when reading oversized fts header + +--- + src/plugins/fts/fts-api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/plugins/fts/fts-api.c b/src/plugins/fts/fts-api.c +index 5a5b2a919e..4f8a1c125d 100644 +--- a/src/plugins/fts/fts-api.c ++++ b/src/plugins/fts/fts-api.c +@@ -425,7 +425,7 @@ bool fts_index_get_header(struct mailbox *box, struct fts_index_header *hdr_r) + i_zero(hdr_r); + ret = FALSE; + } else { +- memcpy(hdr_r, data, data_size); ++ memcpy(hdr_r, data, sizeof(*hdr_r)); + ret = TRUE; + } + mail_index_view_close(&view); diff --git a/SOURCES/dovecot-2.2.36-portreserve.patch b/SOURCES/dovecot-2.2.36-portreserve.patch new file mode 100644 index 0000000..f235bc8 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-portreserve.patch @@ -0,0 +1,11 @@ +diff -up dovecot-2.2.36/dovecot.service.in.portreserve dovecot-2.2.36/dovecot.service.in +--- dovecot-2.2.36/dovecot.service.in.portreserve 2019-08-13 13:16:17.660982741 +0200 ++++ dovecot-2.2.36/dovecot.service.in 2019-08-13 13:16:17.664982728 +0200 +@@ -13,6 +13,7 @@ After=local-fs.target network.target net + [Service] + Type=forking + ExecStartPre=/usr/libexec/dovecot/prestartscript ++ExecStartPre=-/usr/sbin/portrelease dovecot + ExecStart=@sbindir@/dovecot + PIDFile=@rundir@/master.pid + ExecReload=@bindir@/doveadm reload diff --git a/SOURCES/dovecot.portreserve b/SOURCES/dovecot.portreserve new file mode 100644 index 0000000..9b44b12 --- /dev/null +++ b/SOURCES/dovecot.portreserve @@ -0,0 +1,5 @@ +imap/tcp +imaps/tcp +pop3/tcp +pop3s/tcp +sieve/tcp diff --git a/SPECS/dovecot.spec b/SPECS/dovecot.spec index 87d7765..fe0e2be 100644 --- a/SPECS/dovecot.spec +++ b/SPECS/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.36 %global prever %{nil} -Release: 3%{?dist}.1 +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -23,6 +23,8 @@ Source10: dovecot.tmpfilesd #our own Source14: dovecot.conf.5 +Source15: prestartscript +Source16: dovecot.portreserve # 3x Fedora/RHEL specific Patch1: dovecot-2.0-defaultconfig.patch @@ -42,9 +44,12 @@ Patch9: dovecot-2.2.36-aclfix.patch # dovecot < 2.3, rhbz#1280436 Patch10: dovecot-2.2-gidcheck.patch - - -Source15: prestartscript +Patch11: dovecot-2.2.36-portreserve.patch +Patch12: dovecot-2.2.36-cve_2019_3814part1of3.patch +Patch13: dovecot-2.2.36-cve_2019_3814part2of3.patch +Patch14: dovecot-2.2.36-cve_2019_3814part3of3.patch +Patch15: dovecot-2.2.36-cve_2019_7524part1of2.patch +Patch16: dovecot-2.2.36-cve_2019_7524part2of2.patch Patch19: dovecot-2.2.36-cve2019_11500_part1of4.patch Patch20: dovecot-2.2.36-cve2019_11500_part2of4.patch @@ -82,6 +87,8 @@ Requires(preun): chkconfig initscripts Requires(postun): initscripts %endif +Requires: portreserve + %if %{?fedora}0 > 150 || %{?rhel}0 >60 #clucene in fedora <=15 and rhel<=6 is too old BuildRequires: clucene-core-devel @@ -146,6 +153,12 @@ This package provides the development files for dovecot. %patch7 -p1 -b .nodevrand %patch9 -p1 -b .aclfix %patch10 -p1 -b .gidcheck +%patch11 -p1 -b .portreserve +%patch12 -p1 -b .cve_2019_3814part1of3 +%patch13 -p1 -b .cve_2019_3814part2of3 +%patch14 -p1 -b .cve_2019_3814part3of3 +%patch15 -p1 -b .cve_2019_7524part1of2 +%patch16 -p1 -b .cve_2019_7524part2of2 %patch19 -p1 -b .cve2019_11500_part1of4 %patch20 -p1 -b .cve2019_11500_part2of4 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -218,7 +231,6 @@ make install DESTDIR=$RPM_BUILD_ROOT #move doc dir back to build dir so doc macro in files section can use it mv $RPM_BUILD_ROOT/%{_docdir}/%{name}-%{version} %{_builddir}/%{name}-%{version}%{?prever}/docinstall - pushd dovecot-2*2-pigeonhole-%{pigeonholever} make install DESTDIR=$RPM_BUILD_ROOT @@ -240,6 +252,9 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5 #install waitonline script install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript +# install portreserve dovecot config +install -p -D -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysconfdir}/portreserve/dovecot + # generate ghost .pem files mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/private @@ -422,6 +437,7 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext +%config(noreplace) %{_sysconfdir}/portreserve/dovecot %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -526,10 +542,18 @@ make check %changelog -* Thu Sep 12 2019 Michal Hlavinka - 1:2.2.36-3.1 +* Thu Aug 29 2019 Michal Hlavinka - 1:2.2.36-6 - fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap - memory writes (#1751383) + memory writes (#1741787) + +* Tue Aug 13 2019 Michal Hlavinka - 1:2.2.36-5 +- fix CVE-2019-3814: improper certificate validation (#1674369) +- fix CVE-2019-7524: buffer overflow in indexer-worker process resulting in privilege + escalation (#1700398) + +* Tue Aug 13 2019 Michal Hlavinka - 1:2.2.36-4 +- use portreserve to avoid port conflicts(#1270283) * Wed Sep 19 2018 Michal Hlavinka - 1:2.2.36-3 - fix global ACL directory configuration search path (#1630380)