Bug#981239: marked as done (buster-pu: package dovecot/1:2.3.4.1-5+deb10u6)

Sat, 06 Feb 2021 02:47:44 -0800 

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id 
<6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #981239,
regarding buster-pu: package dovecot/1:2.3.4.1-5+deb10u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
981239: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981239
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

I'd like to update the dovecot IMAP suite in buster to address bug #970386.
This bug involves a server crash that's triggered when issuing a server-side
full-text search against a mailbox containing messages with certain malformed
MIME components.  The fix cherry-picked cleanly from upstream and I have
confirmed that it addresses the issue.

Thanks
noah

diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog    2020-12-28 15:18:55.000000000 -0800
+++ dovecot-2.3.4.1/debian/changelog    2021-01-27 16:35:17.000000000 -0800
@@ -1,3 +1,10 @@
+dovecot (1:2.3.4.1-5+deb10u6) buster; urgency=medium
+
+  * Backport upstream fix for crash that occurred when searching mailboxes
+    containing malformed MIME messages. (Closes: #970386)
+
+ -- Noah Meyerhans <no...@debian.org>  Wed, 27 Jan 2021 16:35:17 -0800
+
 dovecot (1:2.3.4.1-5+deb10u5) buster-security; urgency=high
 
   * Import upstream fix for security issues:
diff -Nru dovecot-2.3.4.1/debian/patches/bug970386.patch 
dovecot-2.3.4.1/debian/patches/bug970386.patch
--- dovecot-2.3.4.1/debian/patches/bug970386.patch      1969-12-31 
16:00:00.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/bug970386.patch      2021-01-27 
16:35:17.000000000 -0800
@@ -0,0 +1,90 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970386
+From: Timo Sirainen <timo.sirai...@open-xchange.com>
+Date: Mon, 31 Aug 2020 20:38:42 +0300
+Subject: [PATCH] lib-mail: message_parser_init_from_parts() - Fix crash if
+ MIME boundaries don't end
+
+If the last "boundary--" doens't exist, the parsing assert-crashed at
+deinit. This mainly happened when searching mails.
+
+Fixes:
+Panic: file message-parser.c: line 175 (message_part_finish): assertion 
failed: (ctx->nested_parts_count > 0)
+---
+ src/lib-mail/message-parser.c      | 13 ++++++++-----
+ src/lib-mail/test-message-parser.c | 21 ++++++++++++++++++++-
+ 2 files changed, 28 insertions(+), 6 deletions(-)
+
+Index: dovecot/src/lib-mail/message-parser.c
+===================================================================
+--- dovecot.orig/src/lib-mail/message-parser.c
++++ dovecot/src/lib-mail/message-parser.c
+@@ -138,6 +138,7 @@ message_part_append(struct message_parse
+       struct message_part *parent = ctx->part;
+       struct message_part *part;
+ 
++      i_assert(!ctx->preparsed);
+       i_assert(parent != NULL);
+       i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+                                  MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0);
+@@ -171,12 +172,14 @@ static void message_part_finish(struct m
+ {
+       struct message_part **const *parent_next_partp;
+ 
+-      i_assert(ctx->nested_parts_count > 0);
+-      ctx->nested_parts_count--;
+-
+-      parent_next_partp = array_back(&ctx->next_part_stack);
+-      array_pop_back(&ctx->next_part_stack);
+-      ctx->next_part = *parent_next_partp;
++      if (!ctx->preparsed) {
++              i_assert(ctx->nested_parts_count > 0);
++              ctx->nested_parts_count--;
++
++              parent_next_partp = array_back(&ctx->next_part_stack);
++              array_pop_back(&ctx->next_part_stack);
++              ctx->next_part = *parent_next_partp;
++      }
+ 
+       message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+       message_size_add(&ctx->part->parent->body_size, 
&ctx->part->header_size);
+Index: dovecot/src/lib-mail/test-message-parser.c
+===================================================================
+--- dovecot.orig/src/lib-mail/test-message-parser.c
++++ dovecot/src/lib-mail/test-message-parser.c
+@@ -180,9 +180,10 @@ static void test_message_parser_small_bl
+ static void test_message_parser_stop_early(void)
+ {
+       struct message_parser_ctx *parser;
+-      struct istream *input;
++      struct istream *input, *input2;
+       struct message_part *parts;
+       struct message_block block;
++      const char *error;
+       unsigned int i;
+       pool_t pool;
+       int ret;
+@@ -200,6 +201,24 @@ static void test_message_parser_stop_ear
+                                                             &block)) > 0) ;
+               test_assert(ret == 0);
+               message_parser_deinit(&parser, &parts);
++
++              /* test preparsed - first re-parse everything with a stream
++                 that sees EOF at this position */
++              input2 = i_stream_create_from_data(test_msg, i);
++              parser = message_parser_init(pool, input2, &set_empty);
++              while ((ret = message_parser_parse_next_block(parser,
++                                                            &block)) > 0) ;
++              test_assert(ret == -1);
++              message_parser_deinit(&parser, &parts);
++
++              /* now parse from the parts */
++              i_stream_seek(input2, 0);
++              parser = message_parser_init_from_parts(parts, input2, 
&set_empty);
++              while ((ret = message_parser_parse_next_block(parser,
++                                                            &block)) > 0) ;
++              test_assert(ret == -1);
++              test_assert(message_parser_deinit_from_parts(&parser, &parts, 
&error) == 0);
++              i_stream_unref(&input2);
+       }
+ 
+       i_stream_unref(&input);
diff -Nru dovecot-2.3.4.1/debian/patches/series 
dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series       2020-12-28 15:18:55.000000000 
-0800
+++ dovecot-2.3.4.1/debian/patches/series       2021-01-27 16:35:17.000000000 
-0800
@@ -56,4 +56,5 @@
 CVE-2020-24386/0002-imap-Add-unit-test-for-imap-client-hibernate.patch
 CVE-2020-25275/0001-lib-mail-message-parser-Fix-assert-crash-when-enforc.patch
 CVE-2020-25275/0002-lib-imap-Don-t-generate-invalid-BODYSTRUCTURE-when-r.patch
+bug970386.patch
 debian-changes

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---

Reply via email to