commit 16fe609d4731753d73df3a3ef8bc50106b122a72 Author: Juergen Daubert <jue@jue.li> Date: Sun Jan 28 13:14:45 2018 +0100 dovecot: add patch to fix CVE-2017-15132 diff --git a/dovecot/.md5sum b/dovecot/.md5sum index f59088a2d..2e2132e60 100644 --- a/dovecot/.md5sum +++ b/dovecot/.md5sum @@ -1,3 +1,4 @@ +f043e0bb2773cd38f74ada8c164524a6 CVE-2017-15132.patch ec342928dd97131f82dba41546741b5f dovecot a8802617ddf68972f5f97bd8677e5856 dovecot-2.3.0.tar.gz 1cc42484b5515bddf47edcf26b288b6b dovecot-config.patch diff --git a/dovecot/.signature b/dovecot/.signature index 6988ebb3f..ccfd224cd 100644 --- a/dovecot/.signature +++ b/dovecot/.signature @@ -1,7 +1,8 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/UHxeCrvPjhN5tTv7dKHPGA/w2A+pWGljrr3s6U7l7tTp/3JjzClS+UFrRG0vFfh/svIA2/VxOGZeiYrPHrDxwY= -SHA256 (Pkgfile) = 8f2d01c19f853782b6a9602829df8d6d4afa45c6171e3d2240c344080e80dfb4 +RWSE3ohX2g5d/SihfglHd/nyxWOIuJQMl+JGBQBCDkigF+pqp87P7EyBt9dC8e7bvYN/L5VAH5T1yYeOkiDQPNnRAogyCZk8qww= +SHA256 (Pkgfile) = 0bedafa60b3e7d7db93c113f28760308b77cdda87756884c0bf391f2b02c6a05 SHA256 (.footprint) = d464c6eb14ad58ab166c901d6c1a6f66a010f3e934f3b1645a9cd20d24663b4b SHA256 (dovecot-2.3.0.tar.gz) = de60cb470d025e4dd0f8e8fbbb4b9316dfd4930eb949d307330669ffbeaf8581 +SHA256 (CVE-2017-15132.patch) = ddbfdb187e1e763aa10364e57ed82bd37d264d66ed01559a7dbdeccb9f41e91f SHA256 (dovecot-config.patch) = a6f09e637f1ac15368d2d18736dc353e4a188959c5940dedd5306b689156e91c SHA256 (dovecot) = ead06d36290cca8be6be350f2c05edf53a4e9ce8aec5d5d663b1162ae96c17c7 diff --git a/dovecot/CVE-2017-15132.patch b/dovecot/CVE-2017-15132.patch new file mode 100644 index 000000000..6b147abef --- /dev/null +++ b/dovecot/CVE-2017-15132.patch @@ -0,0 +1,28 @@ +From 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@dovecot.fi> +Date: Mon, 18 Dec 2017 16:50:51 +0200 +Subject: [PATCH] lib-auth: Fix memory leak in auth_client_request_abort() + +This caused memory leaks when authentication was aborted. For example +with IMAP: + +a AUTHENTICATE PLAIN +* + +Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021 +--- + src/lib-auth/auth-client-request.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c +index 480fb42b30..046f7c307d 100644 +--- a/src/lib-auth/auth-client-request.c ++++ b/src/lib-auth/auth-client-request.c +@@ -186,6 +186,7 @@ void auth_client_request_abort(struct auth_client_request **_request) + + auth_client_send_cancel(request->conn->client, request->id); + call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); ++ pool_unref(&request->pool); + } + + unsigned int auth_client_request_get_id(struct auth_client_request *request) diff --git a/dovecot/Pkgfile b/dovecot/Pkgfile index 67dfea341..32789e7e8 100644 --- a/dovecot/Pkgfile +++ b/dovecot/Pkgfile @@ -5,13 +5,15 @@ name=dovecot version=2.3.0 -release=1 -source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz \ +release=2 +source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz + CVE-2017-15132.patch dovecot-config.patch dovecot) build () { cd $name-ce-$version + patch -p1 -i $SRC/CVE-2017-15132.patch patch -p1 -i $SRC/$name-config.patch ./configure --prefix=/usr \