packages/dovecot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 2.3.10.1 to fix CVE-2020-10967, CVE-2020-10958, CVE-2020-10957

Browse Source
This commit is contained in:
wang_yue111 2020-08-03 14:20:28 +08:00
parent 231075119f
commit a7d15e8a28
22 changed files with 150 additions and 420 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
CVE-2019-10691.patch
View File

@ -1,62 +0,0 @@
From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Tue, 2 Apr 2019 13:09:48 +0300
Subject: [PATCH] lib: json - Escape invalid UTF-8 as unicode bytes
This prevents dovecot from crashing if invalid UTF-8 input
is given.
---
src/lib/json-parser.c | 12 ++++++++----
src/lib/test-json-parser.c | 8 ++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c
index 677091d649..e7846a329f 100644
--- a/src/lib/json-parser.c
+++ b/src/lib/json-parser.c
@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s
for (i = 0; i < size;) {
bytes = uni_utf8_get_char_n(src+i, size-i, &chr);
- /* refuse to add invalid data */
- i_assert(bytes > 0 && uni_is_valid_ucs4(chr));
- json_append_escaped_ucs4(dest, chr);
- i += bytes;
+ if (bytes > 0 && uni_is_valid_ucs4(chr)) {
+ json_append_escaped_ucs4(dest, chr);
+ i += bytes;
+ } else {
+ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8,
+ UTF8_REPLACEMENT_CHAR_LEN);
+ i++;
+ }
}
}
diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c
index bae6fb202b..9ce1e489ba 100644
--- a/src/lib/test-json-parser.c
+++ b/src/lib/test-json-parser.c
@@ -267,20 +267,20 @@ static void test_json_append_escaped(void)
string_t *str = t_str_new(32);
test_begin("json_append_escaped()");
- json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7");
- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
+ json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff");
+ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
test_end();
}
static void test_json_append_escaped_data(void)
{
static const unsigned char test_input[] =
- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7";
+ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff";
string_t *str = t_str_new(32);
test_begin("json_append_escaped()");
json_append_escaped_data(str, test_input, sizeof(test_input)-1);
- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
+ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
test_end();
}

31
CVE-2019-11494-1.patch
View File

@ -1,31 +0,0 @@
From e9d60648abb9bbceff89882a5309cb9532e702e9 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Thu, 25 Apr 2019 09:51:32 +0200
Subject: [PATCH 3/3] lib-smtp: smtp-server-cmd-auth - Fix AUTH response error
handling so that it stops reading more input.
Otherwise, it may try to read more data from the stream as the next AUTH
response, which causes an assert crash in the command parser later on. Even when
the parser finds no input from the stream, it will advance its state
towards AUTH response parsing, which is a problem when the next command is
subsequently being parsed.
Panic was:
Panic: file smtp-command-parser.c: line 438 (smtp_command_parse_next): assertion failed: (!parser->auth_response || parser->state.state == SMTP_COMMAND_PARSE_STATE_INIT || parser->state.state == SMTP_COMMAND_PARSE_STATE_ERROR)
---
src/lib-smtp/smtp-server-cmd-auth.c | 1 +
1 file changed, 1 insertion(+)
Index: dovecot-2.3.4.1/src/lib-smtp/smtp-server-cmd-auth.c
===================================================================
--- dovecot-2.3.4.1.orig/src/lib-smtp/smtp-server-cmd-auth.c 2019-04-29 07:39:15.045289307 -0400
+++ dovecot-2.3.4.1/src/lib-smtp/smtp-server-cmd-auth.c 2019-04-29 07:39:15.037289277 -0400
@@ -97,6 +97,7 @@ static void cmd_auth_input(struct smtp_s
smtp_server_connection_debug(conn,
"Client sent invalid AUTH response: %s", error);
+ smtp_server_command_input_lock(cmd);
switch (error_code) {
case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND:
conn->input_broken = TRUE;

37
CVE-2019-11494-2.patch
View File

@ -1,37 +0,0 @@
From f79745dae4a9a5fca33320e03a4fc9064b88d01e Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Tue, 12 Mar 2019 03:18:33 +0100
Subject: [PATCH 2/3] submission-login: client-authenticate - Fix crash
occurring when client disconnects during authentication.
---
src/submission-login/client-authenticate.c | 3 +++
src/submission-login/client.c | 1 +
2 files changed, 4 insertions(+)
Index: dovecot-2.3.4.1/src/submission-login/client-authenticate.c
===================================================================
--- dovecot-2.3.4.1.orig/src/submission-login/client-authenticate.c 2019-04-29 07:39:05.705254949 -0400
+++ dovecot-2.3.4.1/src/submission-login/client-authenticate.c 2019-04-29 07:39:05.705254949 -0400
@@ -89,6 +89,9 @@ void submission_client_auth_result(struc
container_of(client, struct submission_client, common);
struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth;
+ if (subm_client->conn == NULL)
+ return;
+
subm_client->pending_auth = NULL;
i_assert(cmd != NULL);
Index: dovecot-2.3.4.1/src/submission-login/client.c
===================================================================
--- dovecot-2.3.4.1.orig/src/submission-login/client.c 2019-04-29 07:39:05.705254949 -0400
+++ dovecot-2.3.4.1/src/submission-login/client.c 2019-04-29 07:39:05.705254949 -0400
@@ -176,6 +176,7 @@ static void client_connection_disconnect
{
struct submission_client *client = context;
+ client->pending_auth = NULL;
client_disconnect(&client->common, reason);
}

22
CVE-2019-11499.patch
View File

@ -1,22 +0,0 @@
From 754f791dd26313de8d75b740bddd1a192f11bf3f Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Tue, 23 Apr 2019 00:13:46 +0200
Subject: [PATCH 1/3] submission-login: Remove unused client->pending_starttls.
---
src/submission-login/client.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: dovecot-2.3.4.1/src/submission-login/client.h
===================================================================
--- dovecot-2.3.4.1.orig/src/submission-login/client.h 2019-04-29 07:38:39.541158696 -0400
+++ dovecot-2.3.4.1/src/submission-login/client.h 2019-04-29 07:38:39.537158682 -0400
@@ -22,7 +22,7 @@ struct submission_client {
const struct submission_login_settings *set;
struct smtp_server_connection *conn;
- struct smtp_server_cmd_ctx *pending_auth, *pending_starttls;
+ struct smtp_server_cmd_ctx *pending_auth;
enum submission_proxy_state proxy_state;
enum smtp_capability proxy_capability;

22
CVE-2019-3814-1.patch
View File

@ -1,22 +0,0 @@
From d21218b416c7f26cb42a491bbd04bcd0d6a65b51 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 16 Jan 2019 18:28:57 +0200
Subject: [PATCH 1/3] auth: Do not import empty certificate username
---
src/auth/auth-request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: dovecot-2.3.2.1/src/auth/auth-request.c
===================================================================
--- dovecot-2.3.2.1.orig/src/auth/auth-request.c 2019-01-28 08:49:08.117668002 -0500
+++ dovecot-2.3.2.1/src/auth/auth-request.c 2019-01-28 08:49:08.113667992 -0500
@@ -454,7 +454,7 @@ bool auth_request_import_auth(struct aut
else if (strcmp(key, "valid-client-cert") == 0)
request->valid_client_cert = TRUE;
else if (strcmp(key, "cert_username") == 0) {
- if (request->set->ssl_username_from_cert) {
+ if (request->set->ssl_username_from_cert && *value != '\0') {
/* get username from SSL certificate. it overrides
the username given by the auth mechanism. */
request->user = p_strdup(request->pool, value);

31
CVE-2019-3814-2.patch
View File

@ -1,31 +0,0 @@
From 1a6d921b831af5228e8ad493a88bc46bdb30ca4b Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 16 Jan 2019 18:24:20 +0200
Subject: [PATCH 2/3] auth: Fail authentication if certificate username was
unexpectedly missing
---
src/auth/auth-request-handler.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index ae7b458c9..318f15031 100644
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -581,6 +581,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
return TRUE;
}
+ if (request->set->ssl_require_client_cert &&
+ request->set->ssl_username_from_cert &&
+ !request->cert_username) {
+ auth_request_handler_auth_fail(handler, request,
+ "SSL certificate didn't contain username");
+ return TRUE;
+ }
+
/* Handle initial respose */
if (initial_resp == NULL) {
/* No initial response */
--
2.11.0

88
CVE-2019-3814-3.patch
View File

@ -1,88 +0,0 @@
From 3f109288a477fbf69db300b55d0dd8cd1c4da8ea Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Tue, 15 Jan 2019 17:36:37 +0200
Subject: [PATCH 3/3] login-common: Ensure we get username from certificate
---
src/login-common/sasl-server.c | 52 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 49 insertions(+), 3 deletions(-)
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index dedfb5b8f..ea14c0b6e 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -338,6 +338,43 @@ authenticate_callback(struct auth_client_request *request,
}
}
+static bool get_cert_username(struct client *client, const char **username_r,
+ const char **error_r)
+{
+ /* this was proxied connection, so we use the name here */
+ if (client->client_cert_common_name != NULL) {
+ *username_r = client->client_cert_common_name;
+ return TRUE;
+ }
+
+ /* no SSL */
+ if (client->ssl_iostream == NULL) {
+ *username_r = NULL;
+ return TRUE;
+ }
+
+ /* no client certificate */
+ if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) {
+ *username_r = NULL;
+ return TRUE;
+ }
+
+ /* get peer name */
+ const char *username = ssl_iostream_get_peer_name(client->ssl_iostream);
+
+ /* if we wanted peer name, but it was not there, fail */
+ if (client->set->auth_ssl_username_from_cert &&
+ (username == NULL || *username == '\0')) {
+ if (client->set->auth_ssl_require_client_cert) {
+ *error_r = "Missing username in certificate";
+ return FALSE;
+ }
+ }
+
+ *username_r = username;
+ return TRUE;
+}
+
void sasl_server_auth_begin(struct client *client,
const char *service, const char *mech_name,
const char *initial_resp_base64,
@@ -345,6 +382,7 @@ void sasl_server_auth_begin(struct client *client,
{
struct auth_request_info info;
const struct auth_mech_desc *mech;
+ const char *error;
i_assert(auth_client_is_connected(auth_client));
@@ -376,9 +414,17 @@ void sasl_server_auth_begin(struct client *client,
info.mech = mech->name;
info.service = service;
info.session_id = client_get_session_id(client);
- if (client->client_cert_common_name != NULL)
- info.cert_username = client->client_cert_common_name;
- else if (client->ssl_iostream != NULL) {
+
+ if (!get_cert_username(client, &info.cert_username, &error)) {
+ client_log_err(client, t_strdup_printf("Cannot get username "
+ "from certificate: %s", error));
+ sasl_server_auth_failed(client,
+ "Unable to validate certificate",
+ AUTH_CLIENT_FAIL_CODE_AUTHZFAILED);
+ return;
+ }
+
+ if (client->ssl_iostream != NULL) {
info.cert_username = ssl_iostream_get_peer_name(client->ssl_iostream);
info.ssl_cipher = ssl_iostream_get_cipher(client->ssl_iostream,
&info.ssl_cipher_bits);
--
2.11.0

34
CVE-2019-7524-1.patch
View File

@ -1,34 +0,0 @@
From 578cf77e84b3d25e2f95f08133a2b0b212aa77cc Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 4 Feb 2019 19:23:02 -0800
Subject: [PATCH 1/2] lib-storage: Fix buffer overflow when reading oversized
hdr-pop3-uidl header
---
src/lib-storage/index/index-pop3-uidl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib-storage/index/index-pop3-uidl.c b/src/lib-storage/index/index-pop3-uidl.c
index 13b7363ef..e537e9ff5 100644
--- a/src/lib-storage/index/index-pop3-uidl.c
+++ b/src/lib-storage/index/index-pop3-uidl.c
@@ -37,7 +37,7 @@ bool index_pop3_uidl_can_exist(struct mail *mail)
/* this header isn't set yet */
return TRUE;
}
- memcpy(&uidl, data, size);
+ memcpy(&uidl, data, sizeof(uidl));
return mail->uid <= uidl.max_uid_with_pop3_uidl;
}
@@ -95,7 +95,7 @@ void index_pop3_uidl_update_exists_finish(struct mailbox_transaction_context *tr
/* check if we have already the same header */
if (size >= sizeof(uidl)) {
- memcpy(&uidl, data, size);
+ memcpy(&uidl, data, sizeof(uidl));
if (trans->highest_pop3_uidl_uid == uidl.max_uid_with_pop3_uidl)
return;
}
--
2.11.0

11
CVE-2019-7524.patch
View File

@ -1,11 +0,0 @@
--- a/src/plugins/fts/fts-api.c 2018-04-30 21:52:04.000000000 +0800
+++ b/src/plugins/fts/fts-api.c 2019-04-04 17:51:00.170000000 +0800
@@ -425,7 +425,7 @@ bool fts_index_get_header(struct mailbox
i_zero(hdr_r);
ret = FALSE;
} else {
- memcpy(hdr_r, data, data_size);
+ memcpy(hdr_r, data, sizeof(*hdr_r));
ret = TRUE;
}
mail_index_view_close(&view);

48
Fix-building-with-GCC9.patch
View File

@ -1,48 +0,0 @@
From cddc8f4bc21e2fc92b2570d24129d1c0bacd1cce Mon Sep 17 00:00:00 2001
From: lyn1001 <thistleslyn@163.com>
Date: Wed, 27 May 2020 14:50:08 +0800
Subject: [PATCH] Fix building with GCC9
---
dovecot-2.3.3/src/lib-smtp/smtp-address.c | 10 ++++++++++
dovecot-2.3.3/src/lib-smtp/smtp-address.h | 3 +--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/lib-smtp/smtp-address.c b/src/lib-smtp/smtp-address.c
index bb31d34..9bb5313 100644
--- a/src/lib-smtp/smtp-address.c
+++ b/src/lib-smtp/smtp-address.c
@@ -297,6 +297,16 @@ smtp_parse_username(struct smtp_address_parser *aparser)
return ret;
}
+struct smtp_address *SMTP_ADDRESS_LITERAL(const char *localpart,const char *domain)
+{
+ static struct smtp_address sa;
+
+ sa.localpart = localpart;
+ sa.domain = domain;
+
+ return &sa;
+}
+
int smtp_address_parse_mailbox(pool_t pool,
const char *mailbox, enum smtp_address_parse_flags flags,
struct smtp_address **address_r, const char **error_r)
diff --git a/src/lib-smtp/smtp-address.h b/src/lib-smtp/smtp-address.h
index 2556e4f..8828e01 100644
--- a/src/lib-smtp/smtp-address.h
+++ b/src/lib-smtp/smtp-address.h
@@ -25,8 +25,7 @@ ARRAY_DEFINE_TYPE(smtp_address, struct smtp_address *);
ARRAY_DEFINE_TYPE(smtp_address_const, const struct smtp_address *);
/* Not const! Never return this as a result directly! */
-#define SMTP_ADDRESS_LITERAL(localpart, domain) \
- &((struct smtp_address){ (localpart), (domain) })
+struct smtp_address *SMTP_ADDRESS_LITERAL(const char *localpart,const char *domain);
/*
* SMTP address parsing
--
2.23.0

11
dovecot-1.0.beta2-mkcert-permissions.patch Normal file
View File

@ -0,0 +1,11 @@
--- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100
+++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100
@@ -29,6 +29,7 @@
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
-chmod 0600 $KEYFILE
+chown root:root $CERTFILE $KEYFILE
+chmod 0600 $CERTFILE $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

14
dovecot-1.0.rc7-mkcert-paths.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh
--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths 2016-12-05 10:26:07.913515286 +0100
+++ dovecot-2.2.27/doc/mkcert.sh 2016-12-05 10:28:25.439634417 +0100
@@ -5,8 +5,8 @@
umask 077
OPENSSL=${OPENSSL-openssl}
-SSLDIR=${SSLDIR-/etc/ssl}
-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
+SSLDIR=${SSLDIR-/etc/pki/dovecot}
+OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

33
dovecot-2.0-defaultconfig.patch Normal file
View File

@ -0,0 +1,33 @@
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100
@@ -322,6 +322,7 @@ protocol !indexer-worker {
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
+mbox_write_locks = fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100
@@ -3,7 +3,9 @@
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
+# plain imap and pop3 are still allowed for local connections
+ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = PROFILE=SYSTEM
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an

11
dovecot-2.1.10-waitonline.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.waitonline 2018-03-01 10:35:39.888371078 +0100
+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:36:29.738784661 +0100
@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
[Service]
Type=simple
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot -F
PIDFile=@rundir@/master.pid
ExecReload=@bindir@/doveadm reload

46
dovecot-2.2.20-initbysystemd.patch Normal file
View File

@ -0,0 +1,46 @@
diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
--- dovecot-2.3.0.1/dovecot-init.service.initbysystemd 2018-03-01 10:38:22.059716008 +0100
+++ dovecot-2.3.0.1/dovecot-init.service 2018-03-01 10:38:22.059716008 +0100
@@ -0,0 +1,13 @@
+[Unit]
+Description=One-time Dovecot init service
+ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/bin/sh -c '\
+if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \
+then\
+ SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
+fi'
+
diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100
+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100
@@ -8,7 +8,8 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
-After=local-fs.target network-online.target
+After=local-fs.target network-online.target dovecot-init.service
+Requires=dovecot-init.service
[Service]
Type=simple
diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100
@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
systemdsystemunit_DATA = \
dovecot.socket \
- dovecot.service
+ dovecot.service \
+ dovecot-init.service
else
-EXTRA_DIST += dovecot.socket dovecot.service.in
+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service
endif
install-exec-hook:

11
dovecot-2.2.22-systemd_w_protectsystem.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in
--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200
+++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200
@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop
PrivateTmp=true
NonBlocking=yes
+# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
ProtectHome=no
PrivateDevices=true

BIN
dovecot-2.3-pigeonhole-0.5.10.tar.gz Normal file
View File

Binary file not shown.

BIN
dovecot-2.3-pigeonhole-0.5.3.tar.gz
View File

Binary file not shown.

12
dovecot-2.3.0.1-libxcrypt.patch
View File

@ -1,12 +0,0 @@
diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c
--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100
+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200
@@ -14,6 +14,7 @@
# define _XPG6 /* Some Solaris versions require this, some break with this */
#endif
#include <unistd.h>
+#include <crypt.h>
#include "mycrypt.h"

BIN
dovecot-2.3.10.1.tar.gz Normal file
View File

Binary file not shown.

BIN
dovecot-2.3.3.tar.gz
View File

Binary file not shown.

46
dovecot.spec
View File

@ -5,8 +5,8 @@
%global _hardened_build 1
Name: dovecot
Version: 2.3.3
Release: 6
Version: 2.3.10.1
Release: 1
Summary: Dovecot Secure imap server
License: MIT and LGPLv2
URL: http://www.dovecot.org/
@ -14,23 +14,22 @@ Epoch: 1
Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source2: dovecot.pam
Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.3.tar.gz
%global pigeonholever 0.5.10
Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd
Patch0001: dovecot-2.3.0.1-libxcrypt.patch
Patch0002: Fix-building-with-GCC9.patch
Patch6000: CVE-2019-7524.patch
Patch6001: CVE-2019-3814-1.patch
Patch6002: CVE-2019-3814-2.patch
Patch6003: CVE-2019-3814-3.patch
Patch6004: CVE-2019-7524-1.patch
Patch6005: CVE-2019-10691.patch
Patch6006: CVE-2019-11494-1.patch
Patch6007: CVE-2019-11494-2.patch
Patch6008: CVE-2019-11499.patch
Patch6009: CVE-2015-3420.patch
Patch6010: CVE-2016-8652.patch
Patch6000: CVE-2015-3420.patch
Patch6001: CVE-2016-8652.patch
Patch6002: dovecot-2.0-defaultconfig.patch
Patch6003: dovecot-1.0.beta2-mkcert-permissions.patch
Patch6004: dovecot-1.0.rc7-mkcert-paths.patch
#wait for network
Patch6005: dovecot-2.1.10-waitonline.patch
Patch6006: dovecot-2.2.20-initbysystemd.patch
Patch6007: dovecot-2.2.22-systemd_w_protectsystem.patch
BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel
BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel
@ -71,7 +70,7 @@ Man pages and other related help documents for %{name}.
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
%build
export CFLAGS="%{__global_cflags} -fno-strict-aliasing" LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
mkdir -p m4
autoreconf -I . -fiv #required for aarch64 support
@ -86,7 +85,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10
%make_build
cd dovecot-2*3-pigeonhole-0.5.3
cd dovecot-2*3-pigeonhole-%{pigeonholever}
[ -f configure ] || autoreconf -fiv
[ -f ChangeLog ] || echo "Pigeonhole ChangeLog is not available, yet" >ChangeLog
@ -101,7 +100,7 @@ cd -
%make_install
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
cd dovecot-2*3-pigeonhole-0.5.3
cd dovecot-2*3-pigeonhole-%{pigeonholever}
%make_install
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
@ -192,17 +191,17 @@ fi
%check
make check
cd dovecot-2*3-pigeonhole-0.5.3
cd dovecot-2*3-pigeonhole-%{pigeonholever}
make check
%files
%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README
%{_sbindir}/dovecot
%{_bindir}/{doveadm,doveconf,dsync}
%{_bindir}/{doveadm,doveconf,dsync,dovecot-sysreport}
%_tmpfilesdir/dovecot.conf
%{_unitdir}/{dovecot.service,dovecot.socket}
%{_unitdir}/{dovecot.service,dovecot.socket,dovecot-init.service}
%dir %{_sysconfdir}/dovecot
%dir %{_sysconfdir}/dovecot/conf.d
@ -281,6 +280,9 @@ make check
%changelog
* Sat Aug 1 wangyue <wangyue92@huawei.com> - 2.3.10.1
- Upgrade to 2.3.10.1 to fix CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
* Thu May 21 2020 yanan li <liyanan032@huawei.com> - 2.3.3-6
- Fix building with GCC9.