ports/opt (3.3): [notify] dovecot: update to 2.3.0.1, closes FS#1599

crux at crux.nu crux at crux.nu
Thu Mar 1 08:59:45 UTC 2018


commit b927b2f2d7680a3241d70b6c70f1ec8602169831
Author: Juergen Daubert <jue at jue.li>
Date:   Thu Mar 1 09:57:59 2018 +0100

    [notify] dovecot: update to 2.3.0.1, closes FS#1599
    
    security fix, see
    https://dovecot.org/list/dovecot-news/2018-February/000371.html

diff --git a/dovecot/.md5sum b/dovecot/.md5sum
index 3b4936f51..21943f3b4 100644
--- a/dovecot/.md5sum
+++ b/dovecot/.md5sum
@@ -1,5 +1,3 @@
-a1a5efc13766e3b2d0a154e9716f0f7a  CVE-2017-15132-1.patch
-f043e0bb2773cd38f74ada8c164524a6  CVE-2017-15132.patch
 ec342928dd97131f82dba41546741b5f  dovecot
-a8802617ddf68972f5f97bd8677e5856  dovecot-2.3.0.tar.gz
+865d6ad94c98ac3289fa06a77b1c014e  dovecot-2.3.0.1.tar.gz
 1cc42484b5515bddf47edcf26b288b6b  dovecot-config.patch
diff --git a/dovecot/.signature b/dovecot/.signature
index c9707c0a1..a7f0a14ea 100644
--- a/dovecot/.signature
+++ b/dovecot/.signature
@@ -1,9 +1,7 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/SkROei+JVsseDKn6SIUNsjxW4JVhAKiDa6r4HZW5ka8HbQjpy6OBAAyHGpg/+/NM5m9pchHJcjlYyFH2k1VXQs=
-SHA256 (Pkgfile) = f325affa0506d8e0a7f7ac40e81503af99fa2ee54a3a8c38a76205de6e8e396b
+RWSE3ohX2g5d/d5N12tWoNTQhb7I2Fr15CI5nf6EiZ2gY+6Rhbz6ryRonaZ1C0T02UcuQeVDNq4sOW7xEVNd5IwW2K3Msih3vQE=
+SHA256 (Pkgfile) = 4d2c31432a6ab2b7a42ea598e913f45ee22ddc15d7f1ba53d95ccf30896c884b
 SHA256 (.footprint) = d464c6eb14ad58ab166c901d6c1a6f66a010f3e934f3b1645a9cd20d24663b4b
-SHA256 (dovecot-2.3.0.tar.gz) = de60cb470d025e4dd0f8e8fbbb4b9316dfd4930eb949d307330669ffbeaf8581
-SHA256 (CVE-2017-15132.patch) = ddbfdb187e1e763aa10364e57ed82bd37d264d66ed01559a7dbdeccb9f41e91f
-SHA256 (CVE-2017-15132-1.patch) = 480980136322c3361ab334346218504397668df49d66afef0bca70b7e4d40fae
+SHA256 (dovecot-2.3.0.1.tar.gz) = ab772b3e214683aba347203c9391295552255c4d69afb324c7b8c8fc5ad6f153
 SHA256 (dovecot-config.patch) = a6f09e637f1ac15368d2d18736dc353e4a188959c5940dedd5306b689156e91c
 SHA256 (dovecot) = ead06d36290cca8be6be350f2c05edf53a4e9ce8aec5d5d663b1162ae96c17c7
diff --git a/dovecot/CVE-2017-15132-1.patch b/dovecot/CVE-2017-15132-1.patch
deleted file mode 100644
index b1d8b4923..000000000
--- a/dovecot/CVE-2017-15132-1.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi at dovecot.fi>
-Date: Fri, 26 Jan 2018 10:55:54 +0200
-Subject: [PATCH] lib-auth: Remove request after abort
-
-Otherwise the request will still stay in hash table
-and get dereferenced when all requests are aborted
-causing an attempt to access free'd memory.
-
-Found by Apollon Oikonomopoulos <apoikos at debian.org>
-
-Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
----
- src/lib-auth/auth-client-request.c    | 2 ++
- src/lib-auth/auth-server-connection.c | 7 +++++++
- src/lib-auth/auth-server-connection.h | 2 ++
- 3 files changed, 11 insertions(+)
-
-diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
-index 046f7c307d..f6d0290a13 100644
---- a/src/lib-auth/auth-client-request.c
-+++ b/src/lib-auth/auth-client-request.c
-@@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
- 
- 	auth_client_send_cancel(request->conn->client, request->id);
- 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
-+	/* remove the request */
-+	auth_server_connection_remove_request(request->conn, request->id);
- 	pool_unref(&request->pool);
- }
- 
-diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
-index 9d65450fb3..7eea061cad 100644
---- a/src/lib-auth/auth-server-connection.c
-+++ b/src/lib-auth/auth-server-connection.c
-@@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
- 	hash_table_insert(conn->requests, POINTER_CAST(id), request);
- 	return id;
- }
-+
-+void auth_server_connection_remove_request(struct auth_server_connection *conn,
-+					   unsigned int id)
-+{
-+	i_assert(conn->handshake_received);
-+	hash_table_remove(conn->requests, POINTER_CAST(id));
-+}
-diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
-index 179b5dbd4c..c2c533a41d 100644
---- a/src/lib-auth/auth-server-connection.h
-+++ b/src/lib-auth/auth-server-connection.h
-@@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
- unsigned int
- auth_server_connection_add_request(struct auth_server_connection *conn,
- 				   struct auth_client_request *request);
-+void auth_server_connection_remove_request(struct auth_server_connection *conn,
-+					   unsigned int id);
- #endif
diff --git a/dovecot/CVE-2017-15132.patch b/dovecot/CVE-2017-15132.patch
deleted file mode 100644
index 6b147abef..000000000
--- a/dovecot/CVE-2017-15132.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 Mon Sep 17 00:00:00 2001
-From: Timo Sirainen <timo.sirainen at dovecot.fi>
-Date: Mon, 18 Dec 2017 16:50:51 +0200
-Subject: [PATCH] lib-auth: Fix memory leak in auth_client_request_abort()
-
-This caused memory leaks when authentication was aborted. For example
-with IMAP:
-
-a AUTHENTICATE PLAIN
-*
-
-Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021
----
- src/lib-auth/auth-client-request.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
-index 480fb42b30..046f7c307d 100644
---- a/src/lib-auth/auth-client-request.c
-+++ b/src/lib-auth/auth-client-request.c
-@@ -186,6 +186,7 @@ void auth_client_request_abort(struct auth_client_request **_request)
- 
- 	auth_client_send_cancel(request->conn->client, request->id);
- 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
-+	pool_unref(&request->pool);
- }
- 
- unsigned int auth_client_request_get_id(struct auth_client_request *request)
diff --git a/dovecot/Pkgfile b/dovecot/Pkgfile
index a9f4f109e..4c0b42b99 100644
--- a/dovecot/Pkgfile
+++ b/dovecot/Pkgfile
@@ -4,18 +4,13 @@
 # Depends on:  zlib bzip2 openssl libcap
 
 name=dovecot
-version=2.3.0
-release=3
+version=2.3.0.1
+release=1
 source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz
-        CVE-2017-15132.patch CVE-2017-15132-1.patch
         dovecot-config.patch dovecot)
 
 build () {
-    cd $name-ce-$version
-
-    patch -p1 -i $SRC/CVE-2017-15132.patch
-    patch -p1 -i $SRC/CVE-2017-15132-1.patch
-    patch -p1 -i $SRC/$name-config.patch
+    cd $name-$version
 
     ./configure --prefix=/usr \
                 --libexecdir=/usr/lib \


More information about the CRUX mailing list