Bug#860085: marked as done (unblock: dovecot/1:2.2.27-3)

Debian Bug Tracking System Tue, 11 Apr 2017 07:45:36 -0700

Your message dated Tue, 11 Apr 2017 14:41:00 +0000
with message-id <441f3fb5-4231-9c5d-87e6-09f85c951...@thykier.net>
and subject line Re: Bug#860085: unblock: dovecot/1:2.2.27-3
has caused the Debian Bug report #860085,
regarding unblock: dovecot/1:2.2.27-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860085: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860085
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package dovecot

1:2.2.27-3 fixes a security issue (CVE-2017-2669 - #860049).  
Additionally it includes a single change I had already queued up in git,
removing an irrelevant /etc/dovecot/README, which was registered as a 
conffile and should have been removed a long time ago (see #849290).

Full source debdiff attached.

Thanks,
Apollon

unblock dovecot/1:2.2.27-3

diff -Nru dovecot-2.2.27/debian/changelog dovecot-2.2.27/debian/changelog
--- dovecot-2.2.27/debian/changelog	2016-12-15 22:24:56.000000000 +0200
+++ dovecot-2.2.27/debian/changelog	2017-04-11 00:46:54.000000000 +0300
@@ -1,3 +1,11 @@
+dovecot (1:2.2.27-3) unstable; urgency=high
+
+  * [117285a] Remove /etc/dovecot/README (Closes: #849290)
+  * [04e8ce3] auth: Do not double-expand key in passdb dict when
+    authenticating (CVE-2017-2669) (Closes: #860049)
+
+ -- Apollon Oikonomopoulos <apoi...@debian.org>  Tue, 11 Apr 2017 00:46:54 +0300
+
 dovecot (1:2.2.27-2) unstable; urgency=medium
 
   * [30586e3] Fix SHA3 on big-endian architectures.
diff -Nru dovecot-2.2.27/debian/dovecot-core.maintscript dovecot-2.2.27/debian/dovecot-core.maintscript
--- dovecot-2.2.27/debian/dovecot-core.maintscript	1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/dovecot-core.maintscript	2017-04-11 00:46:54.000000000 +0300
@@ -0,0 +1 @@
+rm_conffile /etc/dovecot/README 1:2.2.27-3~
diff -Nru dovecot-2.2.27/debian/patches/CVE-2017-2669 dovecot-2.2.27/debian/patches/CVE-2017-2669
--- dovecot-2.2.27/debian/patches/CVE-2017-2669	1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.2.27/debian/patches/CVE-2017-2669	2017-04-11 00:43:09.000000000 +0300
@@ -0,0 +1,27 @@
+From 78c9c50cda5390bc748ed4962763df57650bc95a Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tu...@dovecot.fi>
+Date: Mon, 6 Mar 2017 14:59:46 +0200
+Subject: [PATCH] auth: Do not double-expand key in passdb dict when
+ authenticating
+
+Broken by 79042f8c
+---
+ src/auth/db-dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/auth/db-dict.c b/src/auth/db-dict.c
+index 138ac0dc3..93b5aa268 100644
+--- a/src/auth/db-dict.c
++++ b/src/auth/db-dict.c
+@@ -408,7 +408,7 @@ static int db_dict_iter_lookup_key_values(struct db_dict_value_iter *iter)
+ 			continue;
+ 
+ 		str_truncate(path, strlen(DICT_PATH_SHARED));
+-		var_expand(path, key->key->key, iter->var_expand_table);
++		str_append(path, key->key->key);
+ 		ret = dict_lookup(iter->conn->dict, iter->pool,
+ 				  str_c(path), &key->value);
+ 		if (ret > 0) {
+-- 
+2.11.0
+
diff -Nru dovecot-2.2.27/debian/patches/series dovecot-2.2.27/debian/patches/series
--- dovecot-2.2.27/debian/patches/series	2016-12-15 22:23:28.000000000 +0200
+++ dovecot-2.2.27/debian/patches/series	2017-04-11 00:44:11.000000000 +0300
@@ -9,3 +9,4 @@
 dovecot_name.patch
 libnss_location.patch
 fix-sha3-on-big-endian.patch
+CVE-2017-2669
diff -Nru dovecot-2.2.27/debian/rules dovecot-2.2.27/debian/rules
--- dovecot-2.2.27/debian/rules	2016-12-06 16:17:02.000000000 +0200
+++ dovecot-2.2.27/debian/rules	2017-01-27 02:44:58.000000000 +0200
@@ -125,6 +125,7 @@
 	$(MAKE) install DESTDIR=$(CORE_DIR)
 	$(MAKE) -C $(PIGEONHOLE_DIR) install DESTDIR=$(CORE_DIR)
 	rm `find $(CURDIR)/debian -name '*.la'`
+	rm debian/dovecot-core/etc/dovecot/README
 
 override_dh_install:
 	chmod 0700 debian/dovecot-core/etc/dovecot/private

--- End Message ---

--- Begin Message ---

Apollon Oikonomopoulos:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> 
> Dear Release Team,
> 
> Please unblock package dovecot
> 
> 1:2.2.27-3 fixes a security issue (CVE-2017-2669 - #860049).  
> Additionally it includes a single change I had already queued up in git,
> removing an irrelevant /etc/dovecot/README, which was registered as a 
> conffile and should have been removed a long time ago (see #849290).
> 
> Full source debdiff attached.
> 
> Thanks,
> Apollon
> 
> unblock dovecot/1:2.2.27-3
> 

Unblocked, thanks.

~Niels

--- End Message ---

Bug#860085: marked as done (unblock: dovecot/1:2.2.27-3)

Reply via email to