Fix CVE-2020-12673 CVE-2020-12674 CVE-2020-12100
This commit is contained in:
wang_yue111
parent
548582d70f
commit
28d156c54d
3283
CVE-2020-12100-1.patch
Normal file
3283
CVE-2020-12100-1.patch
Normal file
File diff suppressed because it is too large
Load Diff
70
CVE-2020-12100-2.patch
Normal file
70
CVE-2020-12100-2.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From f691580f7450b41bb3de36d825fc46fa5071cabf Mon Sep 17 00:00:00 2001
|
||||
Date: Mon, 26 Oct 2020 18:52:57 +0800
|
||||
Subject: [PATCH] fix CVE-2020-12100
|
||||
|
||||
---
|
||||
.../src/lib-sieve/plugins/notify/ext-notify-common.c | 3 ++-
|
||||
.../src/lib-sieve/sieve-message.c | 12 ++++++------
|
||||
2 files changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
|
||||
index 700b79d..9d950f3 100644
|
||||
--- a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
|
||||
+++ b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
|
||||
@@ -156,6 +156,7 @@ cmd_notify_extract_body_text(const struct sieve_runtime_env *renv,
|
||||
{
|
||||
const struct sieve_execute_env *eenv = renv->exec_env;
|
||||
const struct sieve_extension *this_ext = renv->oprtn->ext;
|
||||
+ const struct message_parser_settings parser_set = { .flags = 0 };
|
||||
struct ext_notify_message_context *mctx;
|
||||
struct mail *mail = eenv->msgdata->mail;
|
||||
struct message_parser_ctx *parser;
|
||||
@@ -189,7 +190,7 @@ cmd_notify_extract_body_text(const struct sieve_runtime_env *renv,
|
||||
/* Initialize body decoder */
|
||||
decoder = message_decoder_init(NULL, 0);
|
||||
|
||||
- parser = message_parser_init(mctx->pool, input, 0, 0);
|
||||
+ parser = message_parser_init(mctx->pool, input, &parser_set);
|
||||
is_text = TRUE;
|
||||
save_body = FALSE;
|
||||
while ((ret = message_parser_parse_next_block(parser, &block)) > 0) {
|
||||
diff --git a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
|
||||
index afbf31f..c791758 100644
|
||||
--- a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
|
||||
+++ b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
|
||||
@@ -1081,10 +1081,10 @@ static int sieve_message_parts_add_missing
|
||||
struct sieve_message_context *msgctx = renv->msgctx;
|
||||
pool_t pool = msgctx->context_pool;
|
||||
struct mail *mail = sieve_message_get_mail(renv->msgctx);
|
||||
- enum message_parser_flags mparser_flags =
|
||||
- MESSAGE_PARSER_FLAG_INCLUDE_MULTIPART_BLOCKS;
|
||||
- enum message_header_parser_flags hparser_flags =
|
||||
- MESSAGE_HEADER_PARSER_FLAG_SKIP_INITIAL_LWSP;
|
||||
+ struct message_parser_settings parser_set = {
|
||||
+ .hdr_flags = MESSAGE_HEADER_PARSER_FLAG_SKIP_INITIAL_LWSP,
|
||||
+ .flags = MESSAGE_PARSER_FLAG_INCLUDE_MULTIPART_BLOCKS,
|
||||
+ };
|
||||
ARRAY(struct sieve_message_header) headers;
|
||||
struct sieve_message_part *body_part, *header_part, *last_part;
|
||||
struct message_parser_ctx *parser;
|
||||
@@ -1121,7 +1121,7 @@ static int sieve_message_parts_add_missing
|
||||
if (iter_all) {
|
||||
t_array_init(&headers, 64);
|
||||
hdr_content = t_str_new(512);
|
||||
- hparser_flags |= MESSAGE_HEADER_PARSER_FLAG_CLEAN_ONELINE;
|
||||
+ parser_set.hdr_flags |= MESSAGE_HEADER_PARSER_FLAG_CLEAN_ONELINE;
|
||||
} else {
|
||||
i_zero(&headers);
|
||||
}
|
||||
@@ -1133,7 +1133,7 @@ static int sieve_message_parts_add_missing
|
||||
//parser = message_parser_init_from_parts(parts, input,
|
||||
// hparser_flags, mparser_flags);
|
||||
parser = message_parser_init(pool_datastack_create(),
|
||||
- input, hparser_flags, mparser_flags);
|
||||
+ input, &parser_set);
|
||||
while ( (ret=message_parser_parse_next_block
|
||||
(parser, &block)) > 0 ) {
|
||||
struct sieve_message_part **body_part_idx;
|
||||
--
|
||||
2.23.0
|
||||
|
||||
31
CVE-2020-12673.patch
Normal file
31
CVE-2020-12673.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001
|
||||
From: Aki Tuomi <aki.tuomi@open-xchange.com>
|
||||
Date: Mon, 18 May 2020 12:33:39 +0300
|
||||
Subject: [PATCH] lib-ntlm: Check buffer length on responses
|
||||
|
||||
Add missing check for buffer length.
|
||||
|
||||
If this is not checked, it is possible to send message which
|
||||
causes read past buffer bug.
|
||||
|
||||
Broken in c7480644202e5451fbed448508ea29a25cffc99c
|
||||
---
|
||||
src/lib-ntlm/ntlm-message.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
|
||||
index 160b9f918c..a29413b47e 100644
|
||||
--- a/src/lib-ntlm/ntlm-message.c
|
||||
+++ b/src/lib-ntlm/ntlm-message.c
|
||||
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
|
||||
if (length == 0 && space == 0)
|
||||
return TRUE;
|
||||
|
||||
+ if (length > data_size) {
|
||||
+ *error = "buffer length out of bounds";
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
if (offset >= data_size) {
|
||||
*error = "buffer offset out of bounds";
|
||||
return FALSE;
|
||||
22
CVE-2020-12674.patch
Normal file
22
CVE-2020-12674.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001
|
||||
From: Aki Tuomi <aki.tuomi@open-xchange.com>
|
||||
Date: Wed, 6 May 2020 13:40:36 +0300
|
||||
Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer
|
||||
|
||||
---
|
||||
src/auth/mech-rpa.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
|
||||
index 08298ebdd6..2de8705b4f 100644
|
||||
--- a/src/auth/mech-rpa.c
|
||||
+++ b/src/auth/mech-rpa.c
|
||||
@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
|
||||
return 0;
|
||||
|
||||
len = *p++;
|
||||
- if (p + len > end)
|
||||
+ if (p + len > end || len == 0)
|
||||
return 0;
|
||||
|
||||
*buffer = p_malloc(pool, len);
|
||||
@ -6,7 +6,7 @@
|
||||
|
||||
Name: dovecot
|
||||
Version: 2.3.10.1
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: Dovecot Secure imap server
|
||||
License: MIT and LGPLv2
|
||||
URL: http://www.dovecot.org/
|
||||
@ -30,6 +30,10 @@ Patch6005: dovecot-2.1.10-waitonline.patch
|
||||
|
||||
Patch6006: dovecot-2.2.20-initbysystemd.patch
|
||||
Patch6007: dovecot-2.2.22-systemd_w_protectsystem.patch
|
||||
Patch6008: CVE-2020-12673.patch
|
||||
Patch6009: CVE-2020-12674.patch
|
||||
Patch6010: CVE-2020-12100-1.patch
|
||||
Patch6011: CVE-2020-12100-2.patch
|
||||
|
||||
BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel
|
||||
BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel
|
||||
@ -280,6 +284,9 @@ make check
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Oct 27 2020 wangyue <wangyue92@huawei.com> - 2.3.10.1-3
|
||||
- Fix CVE-2020-12673 CVE-2020-12674 CVE-2020-12100
|
||||
|
||||
* Tue Aug 4 2020 wangyue <wangyue92@huawei.com> - 2.3.10.1-2
|
||||
- fix changelog
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user