packages/dovecot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-12673 CVE-2020-12674 CVE-2020-12100

Browse Source
This commit is contained in:
wang_yue111 2020-10-27 12:45:35 +08:00
parent 548582d70f
commit 28d156c54d
5 changed files with 3414 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3283
CVE-2020-12100-1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

70
CVE-2020-12100-2.patch Normal file
View File

@ -0,0 +1,70 @@
From f691580f7450b41bb3de36d825fc46fa5071cabf Mon Sep 17 00:00:00 2001
Date: Mon, 26 Oct 2020 18:52:57 +0800
Subject: [PATCH] fix CVE-2020-12100
---
.../src/lib-sieve/plugins/notify/ext-notify-common.c | 3 ++-
.../src/lib-sieve/sieve-message.c | 12 ++++++------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
index 700b79d..9d950f3 100644
--- a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
+++ b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
@@ -156,6 +156,7 @@ cmd_notify_extract_body_text(const struct sieve_runtime_env *renv,
{
const struct sieve_execute_env *eenv = renv->exec_env;
const struct sieve_extension *this_ext = renv->oprtn->ext;
+ const struct message_parser_settings parser_set = { .flags = 0 };
struct ext_notify_message_context *mctx;
struct mail *mail = eenv->msgdata->mail;
struct message_parser_ctx *parser;
@@ -189,7 +190,7 @@ cmd_notify_extract_body_text(const struct sieve_runtime_env *renv,
/* Initialize body decoder */
decoder = message_decoder_init(NULL, 0);
- parser = message_parser_init(mctx->pool, input, 0, 0);
+ parser = message_parser_init(mctx->pool, input, &parser_set);
is_text = TRUE;
save_body = FALSE;
while ((ret = message_parser_parse_next_block(parser, &block)) > 0) {
diff --git a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
index afbf31f..c791758 100644
--- a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
+++ b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
@@ -1081,10 +1081,10 @@ static int sieve_message_parts_add_missing
struct sieve_message_context *msgctx = renv->msgctx;
pool_t pool = msgctx->context_pool;
struct mail *mail = sieve_message_get_mail(renv->msgctx);
- enum message_parser_flags mparser_flags =
- MESSAGE_PARSER_FLAG_INCLUDE_MULTIPART_BLOCKS;
- enum message_header_parser_flags hparser_flags =
- MESSAGE_HEADER_PARSER_FLAG_SKIP_INITIAL_LWSP;
+ struct message_parser_settings parser_set = {
+ .hdr_flags = MESSAGE_HEADER_PARSER_FLAG_SKIP_INITIAL_LWSP,
+ .flags = MESSAGE_PARSER_FLAG_INCLUDE_MULTIPART_BLOCKS,
+ };
ARRAY(struct sieve_message_header) headers;
struct sieve_message_part *body_part, *header_part, *last_part;
struct message_parser_ctx *parser;
@@ -1121,7 +1121,7 @@ static int sieve_message_parts_add_missing
if (iter_all) {
t_array_init(&headers, 64);
hdr_content = t_str_new(512);
- hparser_flags |= MESSAGE_HEADER_PARSER_FLAG_CLEAN_ONELINE;
+ parser_set.hdr_flags |= MESSAGE_HEADER_PARSER_FLAG_CLEAN_ONELINE;
} else {
i_zero(&headers);
}
@@ -1133,7 +1133,7 @@ static int sieve_message_parts_add_missing
//parser = message_parser_init_from_parts(parts, input,
// hparser_flags, mparser_flags);
parser = message_parser_init(pool_datastack_create(),
- input, hparser_flags, mparser_flags);
+ input, &parser_set);
while ( (ret=message_parser_parse_next_block
(parser, &block)) > 0 ) {
struct sieve_message_part **body_part_idx;
--
2.23.0

31
CVE-2020-12673.patch Normal file
View File

@ -0,0 +1,31 @@
From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 18 May 2020 12:33:39 +0300
Subject: [PATCH] lib-ntlm: Check buffer length on responses
Add missing check for buffer length.
If this is not checked, it is possible to send message which
causes read past buffer bug.
Broken in c7480644202e5451fbed448508ea29a25cffc99c
---
src/lib-ntlm/ntlm-message.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
index 160b9f918c..a29413b47e 100644
--- a/src/lib-ntlm/ntlm-message.c
+++ b/src/lib-ntlm/ntlm-message.c
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
if (length == 0 && space == 0)
return TRUE;
+ if (length > data_size) {
+ *error = "buffer length out of bounds";
+ return FALSE;
+ }
+
if (offset >= data_size) {
*error = "buffer offset out of bounds";
return FALSE;

22
CVE-2020-12674.patch Normal file
View File

@ -0,0 +1,22 @@
From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 6 May 2020 13:40:36 +0300
Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer
---
src/auth/mech-rpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
index 08298ebdd6..2de8705b4f 100644
--- a/src/auth/mech-rpa.c
+++ b/src/auth/mech-rpa.c
@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
return 0;
len = *p++;
- if (p + len > end)
+ if (p + len > end || len == 0)
return 0;
*buffer = p_malloc(pool, len);

9
dovecot.spec
View File

@ -6,7 +6,7 @@
Name: dovecot Name: dovecot
Version: 2.3.10.1 Version: 2.3.10.1
Release: 2 Release: 3
Summary: Dovecot Secure imap server Summary: Dovecot Secure imap server
License: MIT and LGPLv2 License: MIT and LGPLv2
URL: http://www.dovecot.org/ URL: http://www.dovecot.org/
@ -30,6 +30,10 @@ Patch6005: dovecot-2.1.10-waitonline.patch
Patch6006: dovecot-2.2.20-initbysystemd.patch Patch6006: dovecot-2.2.20-initbysystemd.patch
Patch6007: dovecot-2.2.22-systemd_w_protectsystem.patch Patch6007: dovecot-2.2.22-systemd_w_protectsystem.patch
Patch6008: CVE-2020-12673.patch
Patch6009: CVE-2020-12674.patch
Patch6010: CVE-2020-12100-1.patch
Patch6011: CVE-2020-12100-2.patch
BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel
BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel
@ -280,6 +284,9 @@ make check
%changelog %changelog
* Tue Oct 27 2020 wangyue <wangyue92@huawei.com> - 2.3.10.1-3
- Fix CVE-2020-12673 CVE-2020-12674 CVE-2020-12100
* Tue Aug 4 2020 wangyue <wangyue92@huawei.com> - 2.3.10.1-2 * Tue Aug 4 2020 wangyue <wangyue92@huawei.com> - 2.3.10.1-2
- fix changelog - fix changelog