diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch new file mode 100644 index 0000000..7655fc6 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch @@ -0,0 +1,37 @@ +From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Fri, 10 May 2019 19:24:51 +0300 +Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs + +IMAP doesn't allow NULs except in binary literals. We'll still allow them +in regular literals as well, but just not in strings. + +This fixes a bug with unescaping a string with NULs: str_unescape() could +have been called for memory that points outside the allocated string, +causing heap corruption. This could cause crashes or theoretically even +result in remote code execution exploit. + +Found by Nick Roessler and Rafi Rubin +--- + src/lib-imap/imap-parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c +index dddf55189..f41668d7a 100644 +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -363,6 +363,11 @@ static bool imap_parser_read_string(struct imap_parser *parser, + break; + } + ++ if (data[i] == '\0') { ++ parser->error = "NULs not allowed in strings"; ++ return FALSE; ++ } ++ + if (data[i] == '\\') { + if (i+1 == data_size) { + /* known data ends with '\' - leave it to +-- +2.11.0 + diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part2of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part2of4.patch new file mode 100644 index 0000000..65746d6 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve2019_11500_part2of4.patch @@ -0,0 +1,33 @@ +From a56b0636b1bf9c7677c6fca9681f48752af700a1 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Fri, 17 May 2019 10:33:53 +0300 +Subject: [PATCH 2/2] lib-imap: Make sure str_unescape() won't be writing past + allocated memory + +The previous commit should already prevent this, but this makes sure it +can't become broken in the future either. It makes the performance a tiny +bit worse, but that's not practically noticeable. +--- + src/lib-imap/imap-parser.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c +index f41668d7a..7f58d99e2 100644 +--- a/src/lib-imap/imap-parser.c ++++ b/src/lib-imap/imap-parser.c +@@ -267,10 +267,8 @@ static void imap_parser_save_arg(struct imap_parser *parser, + + /* remove the escapes */ + if (parser->str_first_escape >= 0 && +- (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) { +- /* -1 because we skipped the '"' prefix */ +- (void)str_unescape(str + parser->str_first_escape-1); +- } ++ (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) ++ (void)str_unescape(str); + arg->_data.str = str; + arg->str_len = strlen(str); + break; +-- +2.11.0 + diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch new file mode 100644 index 0000000..f04c7aa --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch @@ -0,0 +1,36 @@ +From 7ce9990a5e6ba59e89b7fe1c07f574279aed922c Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Fri, 10 May 2019 19:43:55 +0300 +Subject: [PATCH 1/2] lib-managesieve: Don't accept strings with NULs + +ManageSieve doesn't allow NULs in strings. + +This fixes a bug with unescaping a string with NULs: str_unescape() could +have been called for memory that points outside the allocated string, +causing heap corruption. This could cause crashes or theoretically even +result in remote code execution exploit. + +Found by Nick Roessler and Rafi Rubin +--- + src/lib-managesieve/managesieve-parser.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib-managesieve/managesieve-parser.c b/src/lib-managesieve/managesieve-parser.c +index d3eb2101..f5f9d323 100644 +--- a/src/lib-managesieve/managesieve-parser.c ++++ b/src/lib-managesieve/managesieve-parser.c +@@ -258,6 +258,11 @@ managesieve_parser_read_string(struct managesieve_parser *parser, + break; + } + ++ if (data[i] == '\0') { ++ parser->error = "NULs not allowed in strings"; ++ return FALSE; ++ } ++ + if (data[i] == '\\') { + if (i+1 == data_size) { + /* known data ends with '\' - leave it to +-- +2.11.0 + diff --git a/SOURCES/dovecot-2.2.36-cve2019_11500_part4of4.patch b/SOURCES/dovecot-2.2.36-cve2019_11500_part4of4.patch new file mode 100644 index 0000000..6b0e101 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-cve2019_11500_part4of4.patch @@ -0,0 +1,33 @@ +From 4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Fri, 17 May 2019 10:39:25 +0300 +Subject: [PATCH 2/2] lib-managesieve: Make sure str_unescape() won't be + writing past allocated memory + +The previous commit should already prevent this, but this makes sure it +can't become broken in the future either. It makes the performance a tiny +bit worse, but that's not practically noticeable. +--- + src/lib-managesieve/managesieve-parser.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib-managesieve/managesieve-parser.c b/src/lib-managesieve/managesieve-parser.c +index f5f9d323..dc7d1fa9 100644 +--- a/src/lib-managesieve/managesieve-parser.c ++++ b/src/lib-managesieve/managesieve-parser.c +@@ -169,10 +169,8 @@ static void managesieve_parser_save_arg(struct managesieve_parser *parser, + + /* remove the escapes */ + if (parser->str_first_escape >= 0 && +- (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) { +- /* -1 because we skipped the '"' prefix */ +- str_unescape(str + parser->str_first_escape-1); +- } ++ (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) ++ (void)str_unescape(str); + + arg->_data.str = str; + arg->str_len = strlen(str); +-- +2.11.0 + diff --git a/SPECS/dovecot.spec b/SPECS/dovecot.spec index 8cee84a..87d7765 100644 --- a/SPECS/dovecot.spec +++ b/SPECS/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.36 %global prever %{nil} -Release: 3%{?dist} +Release: 3%{?dist}.1 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -46,6 +46,11 @@ Patch10: dovecot-2.2-gidcheck.patch Source15: prestartscript +Patch19: dovecot-2.2.36-cve2019_11500_part1of4.patch +Patch20: dovecot-2.2.36-cve2019_11500_part2of4.patch +Patch21: dovecot-2.2.36-cve2019_11500_part3of4.patch +Patch22: dovecot-2.2.36-cve2019_11500_part4of4.patch + Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, xz-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -141,9 +146,13 @@ This package provides the development files for dovecot. %patch7 -p1 -b .nodevrand %patch9 -p1 -b .aclfix %patch10 -p1 -b .gidcheck +%patch19 -p1 -b .cve2019_11500_part1of4 +%patch20 -p1 -b .cve2019_11500_part2of4 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in #pigeonhole pushd dovecot-2*2-pigeonhole-%{pigeonholever} +%patch21 -p1 -b .cve2019_11500_part3of4 +%patch22 -p1 -b .cve2019_11500_part4of4 popd %build @@ -517,6 +526,11 @@ make check %changelog +* Thu Sep 12 2019 Michal Hlavinka - 1:2.2.36-3.1 +- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte + when scanning data in quoted strings, leading to out of bounds heap + memory writes (#1751383) + * Wed Sep 19 2018 Michal Hlavinka - 1:2.2.36-3 - fix global ACL directory configuration search path (#1630380) - update first/last_valid_gid range patch (#1630409)