--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package dovecot/1:2.3.4.1-5+deb10u4
- From: Noah Meyerhans <noahm@debian.org>
- Date: Wed, 26 Aug 2020 15:58:37 -0700
- Message-id: <159848271736.140651.10369438555742285534.reportbug@doom.morgul.net>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix two upstream regressions in the dovecot version in buster.
These are documented in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930919
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928492
The changes are small and the relevant upstream commits apply cleanly. Both
issues have been confirmed fixed in unstable and testing, as well as in the
proposed buster updates.
There's already a buster security upload queued for the next buster point
release. The included debdiff is against that version, but I expect that
the upload should include the .changes content since the latest one actually
in the archive. Please confirm that. (That would be changelog entries for
both 1:2.3.4.1-5+deb10u3 and 1:2.3.4.1-5+deb10u4.)
noah
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog 2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/changelog 2020-08-26 13:54:40.000000000 -0700
@@ -1,5 +1,14 @@
+dovecot (1:2.3.4.1-5+deb10u4) buster; urgency=medium
+
+ * Import upstream fix for dsync sieve filter sync regression
+ (Closes: #930919)
+ * userdb-passwd: Fix getpwent errno handling (Closes: #928492)
+
+ -- Noah Meyerhans <noahm@debian.org> Wed, 26 Aug 2020 13:54:40 -0700
+
dovecot (1:2.3.4.1-5+deb10u3) buster-security; urgency=high
+ * Stable security update (Closes: #968302)
* Fix CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to
resource exhaustion as Dovecot attempts to parse it.
* CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check
diff -Nru dovecot-2.3.4.1/debian/patches/bug928492.patch dovecot-2.3.4.1/debian/patches/bug928492.patch
--- dovecot-2.3.4.1/debian/patches/bug928492.patch 1969-12-31 16:00:00.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/bug928492.patch 2020-08-26 13:54:40.000000000 -0700
@@ -0,0 +1,46 @@
+From 414a7db1d15e57433dfc222bd6bf253c83166408 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@dovecot.fi>
+Date: Fri, 5 Oct 2018 10:18:35 +0300
+Subject: [PATCH] userdb-passwd: Fix getpwent errno handling
+
+In https://bugs.gentoo.org/667118 Reuben Farrelly
+noticed that running
+ # doveadm user '*'
+causes auth daemon to generate errors like:
+ auth-worker(3585): Error: getpwent() failed: Invalid argument
+
+This happens because on successful call getpwent()
+now sets errno=EINVAL starting from glibc-2.28.
+See https://sourceware.org/PR16004 for details.
+
+The fix is to reset 'errno' before 'getpwent()' is called.
+
+Reported-by: Reuben Farrelly
+Bug: https://bugs.gentoo.org/667118
+Bug: https://sourceware.org/PR16004
+Original-Author: Sergei Trofimovich <slyfox@gentoo.org>
+---
+ src/auth/userdb-passwd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c
+index ee8edf04ee..708762b84a 100644
+--- a/src/auth/userdb-passwd.c
++++ b/src/auth/userdb-passwd.c
+@@ -172,12 +172,16 @@ static void passwd_iterate_next(struct userdb_iterate_context *_ctx)
+ return;
+ }
+
++ /* reset errno since it might have been set when we got here */
+ errno = 0;
+ while ((pw = getpwent()) != NULL) {
+ if (passwd_iterate_want_pw(pw, set)) {
+ _ctx->callback(pw->pw_name, _ctx->context);
+ return;
+ }
++ /* getpwent might set errno to something even if it
++ returns non-NULL. */
++ errno = 0;
+ }
+ if (errno != 0) {
+ i_error("getpwent() failed: %m");
diff -Nru dovecot-2.3.4.1/debian/patches/debian-changes dovecot-2.3.4.1/debian/patches/debian-changes
--- dovecot-2.3.4.1/debian/patches/debian-changes 2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/patches/debian-changes 2020-08-26 13:54:40.000000000 -0700
@@ -93780,7 +93780,7 @@
+#endif
--- /dev/null
+++ dovecot-2.3.4.1/pigeonhole/src/plugins/doveadm-sieve/doveadm-sieve-sync.c
-@@ -0,0 +1,747 @@
+@@ -0,0 +1,746 @@
+/* Copyright (c) 2002-2018 Pigeonhole authors, see the included COPYING file
+ */
+
@@ -94390,8 +94390,7 @@
+ siter->super = sbox->super.attribute_iter_init(box, type, prefix);
+
+ if (box->storage->user->dsyncing &&
-+ type == MAIL_ATTRIBUTE_TYPE_PRIVATE &&
-+ str_begins(prefix, MAILBOX_ATTRIBUTE_PREFIX_SIEVE)) {
++ type == MAIL_ATTRIBUTE_TYPE_PRIVATE) {
+ if (sieve_attribute_iter_script_init(siter) < 0)
+ siter->failed = TRUE;
+ }
diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series 2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/patches/series 2020-08-26 13:54:40.000000000 -0700
@@ -51,4 +51,5 @@
CVE-2020-12100/0016-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
CVE-2020-12673.patch
CVE-2020-12674/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
+bug928492.patch
debian-changes
--- End Message ---