Hi Apollon, On Tue, Apr 11, 2017 at 09:12:38AM +0300, Apollon Oikonomopoulos wrote: > Hi Salvatore, > > On 06:33 Tue 11 Apr , Salvatore Bonaccorso wrote: > > Timo and Aki, attached is the patch used for the version in Debian > > Jessie. > > > > Did I misss something obvious with backporting the commit to 2.2.13? > > > > Regards, > > Salvatore > > > From 000030feb7a30f193197f1aab8a7b04a26b42735 Mon Sep 17 00:00:00 2001 > > From: Aki Tuomi <[email protected]> > > Date: Mon, 6 Mar 2017 14:59:46 +0200 > > Subject: [PATCH] auth: Do not double-expand key in passdb dict when > > authenticating > > > > Broken by 79042f8c > > [carnil: Backport for context in 2.2.13] > > --- > > src/auth/db-dict.c | 7 +------ > > 1 file changed, 1 insertion(+), 6 deletions(-) > > > > --- a/src/auth/db-dict.c > > +++ b/src/auth/db-dict.c > > @@ -404,7 +404,7 @@ static int db_dict_iter_lookup_key_value > > continue; > > > > str_truncate(path, strlen(DICT_PATH_SHARED)); > > - var_expand(path, key->key->key, iter->var_expand_table); > > + str_append(path, key->key->key); > > ret = dict_lookup(iter->conn->dict, iter->pool, > > str_c(path), &key->value); > > if (ret > 0) { > > Your patch seems "correct", in that it's basically the same as > 21d083ff[1], i.e. upstream's own backport of 000030feb from master to > master-2.2. For the record, I also cherry-picked 21d083ff for 1:2.2.27-3 > which is currently sitting in unstable.
So the problem is present, and was a quite bad mistake on my end. Aki tracked it down, and although the patch applies back to 2.2.10 the vulnerability itself was only introduced with https://github.com/dovecot/core/commit/a3783f8a3c9cd816b51e77a922f82301512fcf22 and thus not back to 2.2.10. As Nick correctly noted, this broke then the version in Jessie. Thanks to Aki for the quick followup! So we need to revert the patch and release an advisory about the regression and the actually not present issue for Jessie itself. Salvatore

