diff options
author | Eray Aslan <eras@gentoo.org> | 2022-07-08 09:11:58 +0300 |
---|---|---|
committer | Eray Aslan <eras@gentoo.org> | 2022-07-08 09:11:58 +0300 |
commit | 921f6d327e0d44ef9967b684763e6794ee818757 (patch) | |
tree | d5d42f08b01bbfc4dc00081eea7a5107f0031562 | |
parent | media-sound/picard: bump to 2.8.2, added missing deps (diff) | |
download | gentoo-921f6d327e0d44ef9967b684763e6794ee818757.tar.gz gentoo-921f6d327e0d44ef9967b684763e6794ee818757.tar.bz2 gentoo-921f6d327e0d44ef9967b684763e6794ee818757.zip |
net-mail/dovecot: security bump
Bug: https://bugs.gentoo.org/856733
Signed-off-by: Eray Aslan <eras@gentoo.org>
-rw-r--r-- | net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild | 303 | ||||
-rw-r--r-- | net-mail/dovecot/files/CVE-2022-30550.patch | 155 |
2 files changed, 458 insertions, 0 deletions
diff --git a/net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild b/net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild new file mode 100644 index 000000000000..402e4f5e814a --- /dev/null +++ b/net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild @@ -0,0 +1,303 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +LUA_COMPAT=( lua5-1 lua5-3 ) +# do not add a ssl USE flag. ssl is mandatory +SSL_DEPS_SKIP=1 +inherit autotools flag-o-matic lua-single ssl-cert systemd toolchain-funcs + +MY_P="${P/_/.}" +#MY_S="${PN}-ce-${PV}" +major_minor="$(ver_cut 1-2)" +sieve_version="0.5.19" +if [[ ${PV} == *_rc* ]]; then + rc_dir="rc/" +else + rc_dir="" +fi +SRC_URI="https://dovecot.org/releases/${major_minor}/${rc_dir}${MY_P}.tar.gz + sieve? ( + https://pigeonhole.dovecot.org/releases/${major_minor}/${rc_dir}${PN}-${major_minor}-pigeonhole-${sieve_version}.tar.gz + ) + managesieve? ( + https://pigeonhole.dovecot.org/releases/${major_minor}/${rc_dir}${PN}-${major_minor}-pigeonhole-${sieve_version}.tar.gz + ) " +DESCRIPTION="An IMAP and POP3 server written with security primarily in mind" +HOMEPAGE="https://www.dovecot.org/" + +SLOT="0" +LICENSE="LGPL-2.1 MIT" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + +IUSE_DOVECOT_AUTH="kerberos ldap lua mysql pam postgres sqlite" +IUSE_DOVECOT_COMPRESS="lz4 zstd" +IUSE_DOVECOT_OTHER="argon2 caps doc ipv6 lucene managesieve rpc + selinux sieve solr static-libs stemmer suid systemd tcpd textcat unwind" + +IUSE="${IUSE_DOVECOT_AUTH} ${IUSE_DOVECOT_COMPRESS} ${IUSE_DOVECOT_OTHER}" + +REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} )" + +DEPEND=" + app-arch/bzip2 + app-arch/xz-utils + dev-libs/icu:= + dev-libs/openssl:0= + sys-libs/zlib:= + virtual/libiconv + argon2? ( dev-libs/libsodium:= ) + caps? ( sys-libs/libcap ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + lua? ( ${LUA_DEPS} ) + lucene? ( >=dev-cpp/clucene-2.3 ) + lz4? ( app-arch/lz4 ) + mysql? ( dev-db/mysql-connector-c:0= ) + pam? ( sys-libs/pam:= ) + postgres? ( dev-db/postgresql:* ) + rpc? ( net-libs/libtirpc:= net-libs/rpcsvc-proto ) + selinux? ( sec-policy/selinux-dovecot ) + solr? ( net-misc/curl dev-libs/expat ) + sqlite? ( dev-db/sqlite:* ) + stemmer? ( dev-libs/snowball-stemmer:= ) + suid? ( acct-group/mail ) + systemd? ( sys-apps/systemd:= ) + tcpd? ( sys-apps/tcp-wrappers ) + textcat? ( app-text/libexttextcat ) + unwind? ( sys-libs/libunwind:= ) + zstd? ( app-arch/zstd:= ) + virtual/libcrypt:= + " + +RDEPEND=" + ${DEPEND} + acct-group/dovecot + acct-group/dovenull + acct-user/dovecot + acct-user/dovenull + net-mail/mailbase + " + +S="${WORKDIR}/${MY_P}" + +PATCHES=( + "${FILESDIR}/${PN}"-autoconf-lua-version-v2.patch + "${FILESDIR}/${PN}"-socket-name-too-long.patch + "${FILESDIR}"/CVE-2022-30550.patch +) + +pkg_setup() { + use lua && lua-single_pkg_setup + if use managesieve && ! use sieve; then + ewarn "managesieve USE flag selected but sieve USE flag unselected" + ewarn "sieve USE flag will be turned on" + fi +} + +src_prepare() { + default + # bug 657108 + #elibtoolize + eautoreconf + + # Bug #727244 + append-cflags -fasynchronous-unwind-tables +} + +src_configure() { + local conf="" + + if use postgres || use mysql || use sqlite; then + conf="${conf} --with-sql" + fi + + # turn valgrind tests off. Bug #340791 + VALGRIND=no \ + LUAPC="${ELUA}" \ + systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + econf \ + --with-rundir="${EPREFIX}/run/dovecot" \ + --with-statedir="${EPREFIX}/var/lib/dovecot" \ + --with-moduledir="${EPREFIX}/usr/$(get_libdir)/dovecot" \ + --disable-rpath \ + --with-bzlib \ + --without-libbsd \ + --with-lzma \ + --with-icu \ + --with-ssl \ + --with-zlib \ + $( use_with argon2 sodium ) \ + $( use_with caps libcap ) \ + $( use_with kerberos gssapi ) \ + $( use_with lua ) \ + $( use_with ldap ) \ + $( use_with lucene ) \ + $( use_with lz4 ) \ + $( use_with mysql ) \ + $( use_with pam ) \ + $( use_with postgres pgsql ) \ + $( use_with sqlite ) \ + $( use_with solr ) \ + $( use_with stemmer ) \ + $( use_with systemd ) \ + $( use_with tcpd libwrap ) \ + $( use_with textcat ) \ + $( use_with unwind libunwind ) \ + $( use_with zstd ) \ + $( use_enable static-libs static ) \ + ${conf} + + if use sieve || use managesieve; then + # The sieve plugin needs this file to be build to determine the plugin + # directory and the list of libraries to link to. + emake dovecot-config + cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed" + econf \ + $( use_enable static-libs static ) \ + --localstatedir="${EPREFIX}/var" \ + --enable-shared \ + --with-dovecot="${S}" \ + $( use_with ldap ) \ + $( use_with managesieve ) + fi +} + +src_compile() { + default + if use sieve || use managesieve; then + cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed" + emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" + fi +} + +src_test() { + default + if use sieve || use managesieve; then + cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed" + default + fi +} + +src_install() { + default + + if use suid; then + einfo "Changing perms to allow deliver to be suided" + fowners root:mail "/usr/libexec/dovecot/dovecot-lda" + fperms 4750 "/usr/libexec/dovecot/dovecot-lda" + fi + + newinitd "${FILESDIR}"/dovecot.init-r6 dovecot + + rm -rf "${ED}"/usr/share/doc/dovecot + + dodoc AUTHORS NEWS README TODO + dodoc doc/*.{txt,cnf,xml,sh} + docinto example-config + dodoc doc/example-config/*.{conf,ext} + docinto example-config/conf.d + dodoc doc/example-config/conf.d/*.{conf,ext} + docinto wiki + dodoc doc/wiki/* + doman doc/man/*.{1,7} + + # Create the dovecot.conf file from the dovecot-example.conf file that + # the dovecot folks nicely left for us.... + local conf="${ED}/etc/dovecot/dovecot.conf" + local confd="${ED}/etc/dovecot/conf.d" + + insinto /etc/dovecot + doins doc/example-config/*.{conf,ext} + insinto /etc/dovecot/conf.d + doins doc/example-config/conf.d/*.{conf,ext} + fperms 0600 /etc/dovecot/dovecot-{ldap,sql}.conf.ext + rm -f "${confd}/../README" + + # .maildir is the Gentoo default + local mail_location="maildir:~/.maildir" + sed -i -e \ + "s|#mail_location =|mail_location = ${mail_location}|" \ + "${confd}/10-mail.conf" \ + || die "failed to update mail location settings in 10-mail.conf" + + # We're using pam files (imap and pop3) provided by mailbase + if use pam; then + sed -i -e '/driver = pam/,/^[ \t]*}/ s|#args = dovecot|args = "\*"|' \ + "${confd}/auth-system.conf.ext" \ + || die "failed to update PAM settings in auth-system.conf.ext" + # mailbase does not provide a sieve pam file + use managesieve && dosym imap /etc/pam.d/sieve + sed -i -e \ + 's/#!include auth-system.conf.ext/!include auth-system.conf.ext/' \ + "${confd}/10-auth.conf" \ + || die "failed to update PAM settings in 10-auth.conf" + fi + + # Disable ipv6 if necessary + if ! use ipv6; then + sed -i -e 's/^#listen = \*, ::/listen = \*/g' "${conf}" \ + || die "failed to update listen settings in dovecot.conf" + fi + + # Update ssl cert locations + sed -i -e 's:^#ssl = yes:ssl = yes:' "${confd}/10-ssl.conf" \ + || die "ssl conf failed" + sed -i -e 's:^ssl_cert =.*:ssl_cert = </etc/ssl/dovecot/server.pem:' \ + -e 's:^ssl_key =.*:ssl_key = </etc/ssl/dovecot/server.key:' \ + "${confd}/10-ssl.conf" || die "failed to update SSL settings in 10-ssl.conf" + + # Install SQL configuration + if use mysql || use postgres; then + sed -i -e \ + 's/#!include auth-sql.conf.ext/!include auth-sql.conf.ext/' \ + "${confd}/10-auth.conf" || die "failed to update SQL settings in \ + 10-auth.conf" + fi + + # Install LDAP configuration + if use ldap; then + sed -i -e \ + 's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/' \ + "${confd}/10-auth.conf" \ + || die "failed to update ldap settings in 10-auth.conf" + fi + + if use sieve || use managesieve; then + cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed" + emake DESTDIR="${ED}" install + sed -i -e \ + 's/^[[:space:]]*#mail_plugins = $mail_plugins/mail_plugins = sieve/' "${confd}/15-lda.conf" \ + || die "failed to update sieve settings in 15-lda.conf" + rm -rf "${ED}"/usr/share/doc/dovecot + docinto example-config/conf.d + dodoc doc/example-config/conf.d/*.conf + insinto /etc/dovecot/conf.d + doins doc/example-config/conf.d/90-sieve{,-extprograms}.conf + use managesieve && doins doc/example-config/conf.d/20-managesieve.conf + docinto sieve/rfc + dodoc doc/rfc/*.txt + docinto sieve/devel + dodoc doc/devel/DESIGN + docinto plugins + dodoc doc/plugins/*.txt + docinto extensions + dodoc doc/extensions/*.txt + docinto locations + dodoc doc/locations/*.txt + doman doc/man/*.{1,7} + fi + + use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete +} + +pkg_postinst() { + # Let's not make a new certificate if we already have one + if ! [[ -e "${ROOT}"/etc/ssl/dovecot/server.pem && \ + -e "${ROOT}"/etc/ssl/dovecot/server.key ]]; then + einfo "Creating SSL certificate" + SSL_ORGANIZATION="${SSL_ORGANIZATION:-Dovecot IMAP Server}" + install_cert /etc/ssl/dovecot/server + fi +} diff --git a/net-mail/dovecot/files/CVE-2022-30550.patch b/net-mail/dovecot/files/CVE-2022-30550.patch new file mode 100644 index 000000000000..d7da1316f76f --- /dev/null +++ b/net-mail/dovecot/files/CVE-2022-30550.patch @@ -0,0 +1,155 @@ +From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Mon, 9 May 2022 15:23:33 +0300 +Subject: [PATCH 1/2] auth: Fix handling passdbs with identical driver/args but + different mechanisms/username_filter + +The passdb was wrongly deduplicated in this situation, causing wrong +mechanisms or username_filter setting to be used. This would be a rather +unlikely configuration though. + +Fixed by moving mechanisms and username_filter from struct passdb_module +to struct auth_passdb, which is where they should have been in the first +place. +--- + src/auth/auth-request.c | 6 +++--- + src/auth/auth.c | 18 ++++++++++++++++++ + src/auth/auth.h | 5 +++++ + src/auth/passdb.c | 15 ++------------- + src/auth/passdb.h | 4 ---- + 5 files changed, 28 insertions(+), 20 deletions(-) + +diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c +index cd08b1fa02..0ca29f3674 100644 +--- a/src/auth/auth-request.c ++++ b/src/auth/auth-request.c +@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request, + struct auth_passdb *passdb) + { + /* if mechanism is not supported, skip */ +- const char *const *mechs = passdb->passdb->mechanisms; +- const char *const *username_filter = passdb->passdb->username_filter; ++ const char *const *mechs = passdb->mechanisms; ++ const char *const *username_filter = passdb->username_filter; + const char *username; + + username = request->fields.user; +@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request, + return TRUE; + } + +- if (passdb->passdb->username_filter != NULL && ++ if (passdb->username_filter != NULL && + !auth_request_username_accepted(username_filter, username)) { + auth_request_log_debug(request, + request->mech != NULL ? AUTH_SUBSYS_MECH +diff --git a/src/auth/auth.c b/src/auth/auth.c +index f2f3fda20c..9f6c4ba60c 100644 +--- a/src/auth/auth.c ++++ b/src/auth/auth.c +@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set, + auth_passdb->override_fields_tmpl = + passdb_template_build(auth->pool, set->override_fields); + ++ if (*set->mechanisms == '\0') { ++ auth_passdb->mechanisms = NULL; ++ } else if (strcasecmp(set->mechanisms, "none") == 0) { ++ auth_passdb->mechanisms = (const char *const[]){ NULL }; ++ } else { ++ auth_passdb->mechanisms = ++ (const char *const *)p_strsplit_spaces(auth->pool, ++ set->mechanisms, " ,"); ++ } ++ ++ if (*set->username_filter == '\0') { ++ auth_passdb->username_filter = NULL; ++ } else { ++ auth_passdb->username_filter = ++ (const char *const *)p_strsplit_spaces(auth->pool, ++ set->username_filter, " ,"); ++ } ++ + /* for backwards compatibility: */ + if (set->pass) + auth_passdb->result_success = AUTH_DB_RULE_CONTINUE; +diff --git a/src/auth/auth.h b/src/auth/auth.h +index f700e29d5c..460a179765 100644 +--- a/src/auth/auth.h ++++ b/src/auth/auth.h +@@ -41,6 +41,11 @@ struct auth_passdb { + struct passdb_template *default_fields_tmpl; + struct passdb_template *override_fields_tmpl; + ++ /* Supported authentication mechanisms, NULL is all, {NULL} is none */ ++ const char *const *mechanisms; ++ /* Username filter, NULL is no filter */ ++ const char *const *username_filter; ++ + enum auth_passdb_skip skip; + enum auth_db_rule result_success; + enum auth_db_rule result_failure; +diff --git a/src/auth/passdb.c b/src/auth/passdb.c +index eb4ac8ae82..f5eed1af4f 100644 +--- a/src/auth/passdb.c ++++ b/src/auth/passdb.c +@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set) + passdb->id = ++auth_passdb_id; + passdb->iface = *iface; + passdb->args = p_strdup(pool, set->args); +- if (*set->mechanisms == '\0') { +- passdb->mechanisms = NULL; +- } else if (strcasecmp(set->mechanisms, "none") == 0) { +- passdb->mechanisms = (const char *const[]){NULL}; +- } else { +- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,"); +- } +- +- if (*set->username_filter == '\0') { +- passdb->username_filter = NULL; +- } else { +- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,"); +- } ++ /* NOTE: if anything else than driver & args are added here, ++ passdb_find() also needs to be updated. */ + array_push_back(&passdb_modules, &passdb); + return passdb; + } +diff --git a/src/auth/passdb.h b/src/auth/passdb.h +index 2e95328e5c..e466a9fdb6 100644 +--- a/src/auth/passdb.h ++++ b/src/auth/passdb.h +@@ -63,10 +63,6 @@ struct passdb_module { + /* Default password scheme for this module. + If default_cache_key is set, must not be NULL. */ + const char *default_pass_scheme; +- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/ +- const char *const *mechanisms; +- /* Username filter, NULL is no filter */ +- const char *const *username_filter; + + /* If blocking is set to TRUE, use child processes to access + this passdb. */ + +From a1022072e2ce36f853873d910287f466165b184b Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Mon, 16 May 2022 14:58:45 +0200 +Subject: [PATCH 2/2] auth: Add a comment about updating userdb_find() + +--- + src/auth/userdb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/auth/userdb.c b/src/auth/userdb.c +index 0849659102..830bc2dd64 100644 +--- a/src/auth/userdb.c ++++ b/src/auth/userdb.c +@@ -158,7 +158,8 @@ userdb_preinit(pool_t pool, const struct auth_userdb_settings *set) + userdb->id = ++auth_userdb_id; + userdb->iface = iface; + userdb->args = p_strdup(pool, set->args); +- ++ /* NOTE: if anything else than driver & args are added here, ++ userdb_find() also needs to be updated. */ + array_push_back(&userdb_modules, &userdb); + return userdb; + } |