summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEray Aslan <eras@gentoo.org>2022-07-08 09:11:58 +0300
committerEray Aslan <eras@gentoo.org>2022-07-08 09:11:58 +0300
commit921f6d327e0d44ef9967b684763e6794ee818757 (patch)
treed5d42f08b01bbfc4dc00081eea7a5107f0031562
parentmedia-sound/picard: bump to 2.8.2, added missing deps (diff)
downloadgentoo-921f6d327e0d44ef9967b684763e6794ee818757.tar.gz
gentoo-921f6d327e0d44ef9967b684763e6794ee818757.tar.bz2
gentoo-921f6d327e0d44ef9967b684763e6794ee818757.zip
net-mail/dovecot: security bump
Bug: https://bugs.gentoo.org/856733 Signed-off-by: Eray Aslan <eras@gentoo.org>
-rw-r--r--net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild303
-rw-r--r--net-mail/dovecot/files/CVE-2022-30550.patch155
2 files changed, 458 insertions, 0 deletions
diff --git a/net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild b/net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild
new file mode 100644
index 000000000000..402e4f5e814a
--- /dev/null
+++ b/net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild
@@ -0,0 +1,303 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+LUA_COMPAT=( lua5-1 lua5-3 )
+# do not add a ssl USE flag. ssl is mandatory
+SSL_DEPS_SKIP=1
+inherit autotools flag-o-matic lua-single ssl-cert systemd toolchain-funcs
+
+MY_P="${P/_/.}"
+#MY_S="${PN}-ce-${PV}"
+major_minor="$(ver_cut 1-2)"
+sieve_version="0.5.19"
+if [[ ${PV} == *_rc* ]]; then
+ rc_dir="rc/"
+else
+ rc_dir=""
+fi
+SRC_URI="https://dovecot.org/releases/${major_minor}/${rc_dir}${MY_P}.tar.gz
+ sieve? (
+ https://pigeonhole.dovecot.org/releases/${major_minor}/${rc_dir}${PN}-${major_minor}-pigeonhole-${sieve_version}.tar.gz
+ )
+ managesieve? (
+ https://pigeonhole.dovecot.org/releases/${major_minor}/${rc_dir}${PN}-${major_minor}-pigeonhole-${sieve_version}.tar.gz
+ ) "
+DESCRIPTION="An IMAP and POP3 server written with security primarily in mind"
+HOMEPAGE="https://www.dovecot.org/"
+
+SLOT="0"
+LICENSE="LGPL-2.1 MIT"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+IUSE_DOVECOT_AUTH="kerberos ldap lua mysql pam postgres sqlite"
+IUSE_DOVECOT_COMPRESS="lz4 zstd"
+IUSE_DOVECOT_OTHER="argon2 caps doc ipv6 lucene managesieve rpc
+ selinux sieve solr static-libs stemmer suid systemd tcpd textcat unwind"
+
+IUSE="${IUSE_DOVECOT_AUTH} ${IUSE_DOVECOT_COMPRESS} ${IUSE_DOVECOT_OTHER}"
+
+REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} )"
+
+DEPEND="
+ app-arch/bzip2
+ app-arch/xz-utils
+ dev-libs/icu:=
+ dev-libs/openssl:0=
+ sys-libs/zlib:=
+ virtual/libiconv
+ argon2? ( dev-libs/libsodium:= )
+ caps? ( sys-libs/libcap )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap:= )
+ lua? ( ${LUA_DEPS} )
+ lucene? ( >=dev-cpp/clucene-2.3 )
+ lz4? ( app-arch/lz4 )
+ mysql? ( dev-db/mysql-connector-c:0= )
+ pam? ( sys-libs/pam:= )
+ postgres? ( dev-db/postgresql:* )
+ rpc? ( net-libs/libtirpc:= net-libs/rpcsvc-proto )
+ selinux? ( sec-policy/selinux-dovecot )
+ solr? ( net-misc/curl dev-libs/expat )
+ sqlite? ( dev-db/sqlite:* )
+ stemmer? ( dev-libs/snowball-stemmer:= )
+ suid? ( acct-group/mail )
+ systemd? ( sys-apps/systemd:= )
+ tcpd? ( sys-apps/tcp-wrappers )
+ textcat? ( app-text/libexttextcat )
+ unwind? ( sys-libs/libunwind:= )
+ zstd? ( app-arch/zstd:= )
+ virtual/libcrypt:=
+ "
+
+RDEPEND="
+ ${DEPEND}
+ acct-group/dovecot
+ acct-group/dovenull
+ acct-user/dovecot
+ acct-user/dovenull
+ net-mail/mailbase
+ "
+
+S="${WORKDIR}/${MY_P}"
+
+PATCHES=(
+ "${FILESDIR}/${PN}"-autoconf-lua-version-v2.patch
+ "${FILESDIR}/${PN}"-socket-name-too-long.patch
+ "${FILESDIR}"/CVE-2022-30550.patch
+)
+
+pkg_setup() {
+ use lua && lua-single_pkg_setup
+ if use managesieve && ! use sieve; then
+ ewarn "managesieve USE flag selected but sieve USE flag unselected"
+ ewarn "sieve USE flag will be turned on"
+ fi
+}
+
+src_prepare() {
+ default
+ # bug 657108
+ #elibtoolize
+ eautoreconf
+
+ # Bug #727244
+ append-cflags -fasynchronous-unwind-tables
+}
+
+src_configure() {
+ local conf=""
+
+ if use postgres || use mysql || use sqlite; then
+ conf="${conf} --with-sql"
+ fi
+
+ # turn valgrind tests off. Bug #340791
+ VALGRIND=no \
+ LUAPC="${ELUA}" \
+ systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+ econf \
+ --with-rundir="${EPREFIX}/run/dovecot" \
+ --with-statedir="${EPREFIX}/var/lib/dovecot" \
+ --with-moduledir="${EPREFIX}/usr/$(get_libdir)/dovecot" \
+ --disable-rpath \
+ --with-bzlib \
+ --without-libbsd \
+ --with-lzma \
+ --with-icu \
+ --with-ssl \
+ --with-zlib \
+ $( use_with argon2 sodium ) \
+ $( use_with caps libcap ) \
+ $( use_with kerberos gssapi ) \
+ $( use_with lua ) \
+ $( use_with ldap ) \
+ $( use_with lucene ) \
+ $( use_with lz4 ) \
+ $( use_with mysql ) \
+ $( use_with pam ) \
+ $( use_with postgres pgsql ) \
+ $( use_with sqlite ) \
+ $( use_with solr ) \
+ $( use_with stemmer ) \
+ $( use_with systemd ) \
+ $( use_with tcpd libwrap ) \
+ $( use_with textcat ) \
+ $( use_with unwind libunwind ) \
+ $( use_with zstd ) \
+ $( use_enable static-libs static ) \
+ ${conf}
+
+ if use sieve || use managesieve; then
+ # The sieve plugin needs this file to be build to determine the plugin
+ # directory and the list of libraries to link to.
+ emake dovecot-config
+ cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+ econf \
+ $( use_enable static-libs static ) \
+ --localstatedir="${EPREFIX}/var" \
+ --enable-shared \
+ --with-dovecot="${S}" \
+ $( use_with ldap ) \
+ $( use_with managesieve )
+ fi
+}
+
+src_compile() {
+ default
+ if use sieve || use managesieve; then
+ cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+ emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}"
+ fi
+}
+
+src_test() {
+ default
+ if use sieve || use managesieve; then
+ cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+ default
+ fi
+}
+
+src_install() {
+ default
+
+ if use suid; then
+ einfo "Changing perms to allow deliver to be suided"
+ fowners root:mail "/usr/libexec/dovecot/dovecot-lda"
+ fperms 4750 "/usr/libexec/dovecot/dovecot-lda"
+ fi
+
+ newinitd "${FILESDIR}"/dovecot.init-r6 dovecot
+
+ rm -rf "${ED}"/usr/share/doc/dovecot
+
+ dodoc AUTHORS NEWS README TODO
+ dodoc doc/*.{txt,cnf,xml,sh}
+ docinto example-config
+ dodoc doc/example-config/*.{conf,ext}
+ docinto example-config/conf.d
+ dodoc doc/example-config/conf.d/*.{conf,ext}
+ docinto wiki
+ dodoc doc/wiki/*
+ doman doc/man/*.{1,7}
+
+ # Create the dovecot.conf file from the dovecot-example.conf file that
+ # the dovecot folks nicely left for us....
+ local conf="${ED}/etc/dovecot/dovecot.conf"
+ local confd="${ED}/etc/dovecot/conf.d"
+
+ insinto /etc/dovecot
+ doins doc/example-config/*.{conf,ext}
+ insinto /etc/dovecot/conf.d
+ doins doc/example-config/conf.d/*.{conf,ext}
+ fperms 0600 /etc/dovecot/dovecot-{ldap,sql}.conf.ext
+ rm -f "${confd}/../README"
+
+ # .maildir is the Gentoo default
+ local mail_location="maildir:~/.maildir"
+ sed -i -e \
+ "s|#mail_location =|mail_location = ${mail_location}|" \
+ "${confd}/10-mail.conf" \
+ || die "failed to update mail location settings in 10-mail.conf"
+
+ # We're using pam files (imap and pop3) provided by mailbase
+ if use pam; then
+ sed -i -e '/driver = pam/,/^[ \t]*}/ s|#args = dovecot|args = "\*"|' \
+ "${confd}/auth-system.conf.ext" \
+ || die "failed to update PAM settings in auth-system.conf.ext"
+ # mailbase does not provide a sieve pam file
+ use managesieve && dosym imap /etc/pam.d/sieve
+ sed -i -e \
+ 's/#!include auth-system.conf.ext/!include auth-system.conf.ext/' \
+ "${confd}/10-auth.conf" \
+ || die "failed to update PAM settings in 10-auth.conf"
+ fi
+
+ # Disable ipv6 if necessary
+ if ! use ipv6; then
+ sed -i -e 's/^#listen = \*, ::/listen = \*/g' "${conf}" \
+ || die "failed to update listen settings in dovecot.conf"
+ fi
+
+ # Update ssl cert locations
+ sed -i -e 's:^#ssl = yes:ssl = yes:' "${confd}/10-ssl.conf" \
+ || die "ssl conf failed"
+ sed -i -e 's:^ssl_cert =.*:ssl_cert = </etc/ssl/dovecot/server.pem:' \
+ -e 's:^ssl_key =.*:ssl_key = </etc/ssl/dovecot/server.key:' \
+ "${confd}/10-ssl.conf" || die "failed to update SSL settings in 10-ssl.conf"
+
+ # Install SQL configuration
+ if use mysql || use postgres; then
+ sed -i -e \
+ 's/#!include auth-sql.conf.ext/!include auth-sql.conf.ext/' \
+ "${confd}/10-auth.conf" || die "failed to update SQL settings in \
+ 10-auth.conf"
+ fi
+
+ # Install LDAP configuration
+ if use ldap; then
+ sed -i -e \
+ 's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/' \
+ "${confd}/10-auth.conf" \
+ || die "failed to update ldap settings in 10-auth.conf"
+ fi
+
+ if use sieve || use managesieve; then
+ cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+ emake DESTDIR="${ED}" install
+ sed -i -e \
+ 's/^[[:space:]]*#mail_plugins = $mail_plugins/mail_plugins = sieve/' "${confd}/15-lda.conf" \
+ || die "failed to update sieve settings in 15-lda.conf"
+ rm -rf "${ED}"/usr/share/doc/dovecot
+ docinto example-config/conf.d
+ dodoc doc/example-config/conf.d/*.conf
+ insinto /etc/dovecot/conf.d
+ doins doc/example-config/conf.d/90-sieve{,-extprograms}.conf
+ use managesieve && doins doc/example-config/conf.d/20-managesieve.conf
+ docinto sieve/rfc
+ dodoc doc/rfc/*.txt
+ docinto sieve/devel
+ dodoc doc/devel/DESIGN
+ docinto plugins
+ dodoc doc/plugins/*.txt
+ docinto extensions
+ dodoc doc/extensions/*.txt
+ docinto locations
+ dodoc doc/locations/*.txt
+ doman doc/man/*.{1,7}
+ fi
+
+ use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete
+}
+
+pkg_postinst() {
+ # Let's not make a new certificate if we already have one
+ if ! [[ -e "${ROOT}"/etc/ssl/dovecot/server.pem && \
+ -e "${ROOT}"/etc/ssl/dovecot/server.key ]]; then
+ einfo "Creating SSL certificate"
+ SSL_ORGANIZATION="${SSL_ORGANIZATION:-Dovecot IMAP Server}"
+ install_cert /etc/ssl/dovecot/server
+ fi
+}
diff --git a/net-mail/dovecot/files/CVE-2022-30550.patch b/net-mail/dovecot/files/CVE-2022-30550.patch
new file mode 100644
index 000000000000..d7da1316f76f
--- /dev/null
+++ b/net-mail/dovecot/files/CVE-2022-30550.patch
@@ -0,0 +1,155 @@
+From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: [PATCH 1/2] auth: Fix handling passdbs with identical driver/args but
+ different mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c | 6 +++---
+ src/auth/auth.c | 18 ++++++++++++++++++
+ src/auth/auth.h | 5 +++++
+ src/auth/passdb.c | 15 ++-------------
+ src/auth/passdb.h | 4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
+index cd08b1fa02..0ca29f3674 100644
+--- a/src/auth/auth-request.c
++++ b/src/auth/auth-request.c
+@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ struct auth_passdb *passdb)
+ {
+ /* if mechanism is not supported, skip */
+- const char *const *mechs = passdb->passdb->mechanisms;
+- const char *const *username_filter = passdb->passdb->username_filter;
++ const char *const *mechs = passdb->mechanisms;
++ const char *const *username_filter = passdb->username_filter;
+ const char *username;
+
+ username = request->fields.user;
+@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ return TRUE;
+ }
+
+- if (passdb->passdb->username_filter != NULL &&
++ if (passdb->username_filter != NULL &&
+ !auth_request_username_accepted(username_filter, username)) {
+ auth_request_log_debug(request,
+ request->mech != NULL ? AUTH_SUBSYS_MECH
+diff --git a/src/auth/auth.c b/src/auth/auth.c
+index f2f3fda20c..9f6c4ba60c 100644
+--- a/src/auth/auth.c
++++ b/src/auth/auth.c
+@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set,
+ auth_passdb->override_fields_tmpl =
+ passdb_template_build(auth->pool, set->override_fields);
+
++ if (*set->mechanisms == '\0') {
++ auth_passdb->mechanisms = NULL;
++ } else if (strcasecmp(set->mechanisms, "none") == 0) {
++ auth_passdb->mechanisms = (const char *const[]){ NULL };
++ } else {
++ auth_passdb->mechanisms =
++ (const char *const *)p_strsplit_spaces(auth->pool,
++ set->mechanisms, " ,");
++ }
++
++ if (*set->username_filter == '\0') {
++ auth_passdb->username_filter = NULL;
++ } else {
++ auth_passdb->username_filter =
++ (const char *const *)p_strsplit_spaces(auth->pool,
++ set->username_filter, " ,");
++ }
++
+ /* for backwards compatibility: */
+ if (set->pass)
+ auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+diff --git a/src/auth/auth.h b/src/auth/auth.h
+index f700e29d5c..460a179765 100644
+--- a/src/auth/auth.h
++++ b/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ struct passdb_template *default_fields_tmpl;
+ struct passdb_template *override_fields_tmpl;
+
++ /* Supported authentication mechanisms, NULL is all, {NULL} is none */
++ const char *const *mechanisms;
++ /* Username filter, NULL is no filter */
++ const char *const *username_filter;
++
+ enum auth_passdb_skip skip;
+ enum auth_db_rule result_success;
+ enum auth_db_rule result_failure;
+diff --git a/src/auth/passdb.c b/src/auth/passdb.c
+index eb4ac8ae82..f5eed1af4f 100644
+--- a/src/auth/passdb.c
++++ b/src/auth/passdb.c
+@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set)
+ passdb->id = ++auth_passdb_id;
+ passdb->iface = *iface;
+ passdb->args = p_strdup(pool, set->args);
+- if (*set->mechanisms == '\0') {
+- passdb->mechanisms = NULL;
+- } else if (strcasecmp(set->mechanisms, "none") == 0) {
+- passdb->mechanisms = (const char *const[]){NULL};
+- } else {
+- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+- }
+-
+- if (*set->username_filter == '\0') {
+- passdb->username_filter = NULL;
+- } else {
+- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+- }
++ /* NOTE: if anything else than driver & args are added here,
++ passdb_find() also needs to be updated. */
+ array_push_back(&passdb_modules, &passdb);
+ return passdb;
+ }
+diff --git a/src/auth/passdb.h b/src/auth/passdb.h
+index 2e95328e5c..e466a9fdb6 100644
+--- a/src/auth/passdb.h
++++ b/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ /* Default password scheme for this module.
+ If default_cache_key is set, must not be NULL. */
+ const char *default_pass_scheme;
+- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+- const char *const *mechanisms;
+- /* Username filter, NULL is no filter */
+- const char *const *username_filter;
+
+ /* If blocking is set to TRUE, use child processes to access
+ this passdb. */
+
+From a1022072e2ce36f853873d910287f466165b184b Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 16 May 2022 14:58:45 +0200
+Subject: [PATCH 2/2] auth: Add a comment about updating userdb_find()
+
+---
+ src/auth/userdb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/auth/userdb.c b/src/auth/userdb.c
+index 0849659102..830bc2dd64 100644
+--- a/src/auth/userdb.c
++++ b/src/auth/userdb.c
+@@ -158,7 +158,8 @@ userdb_preinit(pool_t pool, const struct auth_userdb_settings *set)
+ userdb->id = ++auth_userdb_id;
+ userdb->iface = iface;
+ userdb->args = p_strdup(pool, set->args);
+-
++ /* NOTE: if anything else than driver & args are added here,
++ userdb_find() also needs to be updated. */
+ array_push_back(&userdb_modules, &userdb);
+ return userdb;
+ }