Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dovecot: 2.3.11.3 -> 2.3.13 #108404

Merged
merged 4 commits into from Jan 4, 2021
Merged

dovecot: 2.3.11.3 -> 2.3.13 #108404

merged 4 commits into from Jan 4, 2021

Conversation

andir
Copy link
Member

@andir andir commented Jan 4, 2021

Motivation for this change

This fixes CVE_2020-24386, CVE-2020-25725 and a bunch of regular bugs
[1].

  • CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
    allow logged in user to access other people's emails and filesystem
    information.

  • CVE-2020-25275: Mail delivery / parsing crashed when the 10 000th MIME part was
    message/rfc822 (or if parent was multipart/digest). This happened
    due to earlier MIME parsing changes for CVE-2020-12100.

[1] https://raw.githubusercontent.com/dovecot/core/2.3.13/NEWS

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)

This fixes CVE_2020-24386, CVE-2020-25725 and a bunch of regular bugs
[1].

* CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
	  allow logged in user to access other people's emails and filesystem
	  information.

* CVE-2020-25275: Mail delivery / parsing crashed when the 10 000th MIME part was
  message/rfc822 (or if parent was multipart/digest). This happened
  due to earlier MIME parsing changes for CVE-2020-12100.

[1] https://raw.githubusercontent.com/dovecot/core/2.3.13/NEWS
@andir andir added 1.severity: security 8.has: port to stable A PR already has a backport to the stable release. labels Jan 4, 2021
@andir andir requested a review from dotlambda January 4, 2021 16:41
@andir andir mentioned this pull request Jan 4, 2021
3 tasks
While we already had some test we might as well add the test for that
exact package to the tests attribute set. After all that should be what
(primarily) tests dovecot.
@ajs124
Copy link
Member

ajs124 commented Jan 4, 2021

This seems to break the dovecot_pigeonhole build. There's also a new release of that.

@andir
Copy link
Member Author

andir commented Jan 4, 2021

@ajs124 will test, do we have a nixos test for pigeonhole yet?

@ajs124
Copy link
Member

ajs124 commented Jan 4, 2021

We don't, but I just deployed it to production.

This updates to the latest version. According to the changelog 0.5.12
was skipped. The changes in this release are required to be compatible
with the latest dovecot release.

Changes:
  - duplicate: The test was handled badly in a multiscript (sieve_before,
    sieve_after) scenario in which an earlier script in the sequence with
    a duplicate test succeeded, while a later script caused a runtime
    failure. In that case, the message is recorded for duplicate tracking,
    while the message may not actually have been delivered in the end.
  - editheader: Sieve interpreter entered infinite loop at startup when
    the "editheader" configuration listed an invalid header name. This
    problem can only be triggered by the administrator.
  - relational: The Sieve relational extension can cause a segfault at
    compile time. This is triggered by invalid script syntax. The segfault
    happens when this match type is the last argument of the test command.
    This situation is not possible in a valid script; positional arguments
    are normally present after that, which would prevent the segfault.
  - sieve: For some Sieve commands the provided mailbox name is not
    properly checked for UTF-8 validity, which can cause assert crashes at
    runtime when an invalid mailbox name is encountered. This can be
    caused by the user by writing a bad Sieve script involving the
    affected commands ("mailboxexists", "specialuse_exists").
    This can be triggered by the remote sender only when the user has
    written a Sieve script that passes message content to one of the
    affected commands.
  - sieve: Large sequences of 8-bit octets passed to certain Sieve
    commands that create or modify message headers that allow UTF-8 text
    (vacation, notify and addheader) can cause the delivery or IMAP
    process (when IMAPSieve is used) to enter a memory-consuming
    semi-infinite loop that ends when the process exceeds its memory
    limits. Logged in users can cause these hangs only for their own
    processes.
@ofborg ofborg bot added the 6.topic: nixos label Jan 4, 2021
@andir
Copy link
Member Author

andir commented Jan 4, 2021

@ajs124 should work now. I've also added it to the test and added the actual dovecot test to the passthru.tests attribute set. I've compiled the fts xapian plugin locally but we also do not have enough tests for it (and I do not have a working setup with that plugin enabled, right now).

nixos/tests/dovecot.nix Outdated Show resolved Hide resolved
@lukegb
Copy link
Contributor

lukegb commented Jan 4, 2021

@ofborg test opensmtpd-interaction dovecot

This plugin is used commonly enough that we should ensure it still
builds (and dovecot works) after loading it.

This is not yet perfect as we aren't testing any of it's functionality
but at least we ensure that dovecot continues to do the regular job.
@ajs124 ajs124 merged commit 59d08b1 into NixOS:master Jan 4, 2021
@SuperSandro2000
Copy link
Member

Result of nixpkgs-review pr 108404 run on x86_64-darwin 1

3 packages failed to build:
  • dovecot
  • dovecot_fts_xapian
  • dovecot_pigeonhole

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants