Bug 248640

Summary: mail/dovecot: Update to 2.3.11.3
Product: Ports & Packages Reporter: Juraj Lutter <juraj>
Component: Individual Port(s)Assignee: Larry Rosenman <ler>
Status: Closed FIXED    
Severity: Affects Many People CC: ports-secteam, vvd
Priority: Normal Keywords: security
Version: LatestFlags: koobs: maintainer-feedback+
joneum: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248644
Attachments:
Description Flags
mail/dovecot: Update to 2.3.11.3 none

Description Juraj Lutter 2020-08-13 14:40:47 UTC
Created attachment 217195 [details]
mail/dovecot: Update to 2.3.11.3

Hi,

please find the file attached.

It brings mail/dovecot to the recent 2.3.11.3. The pigeonhole and fts-xapian sub-ports will be in separate PRs.

Testport results on 12-STABLE:
https://freebsd-stable.builder.wilbury.net/data/12_STABLE_GENERIC_amd64-default-mailin/2020-08-13_16h22m02s/logs/dovecot-2.3.11.3.log
Comment 1 VVD 2020-08-13 16:50:21 UTC
Fixed 4 CVEs:
* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.
Comment 2 commit-hook freebsd_committer 2020-08-14 00:28:43 UTC
A commit references this bug:

Author: ler
Date: Fri Aug 14 00:27:45 UTC 2020
New revision: 544857
URL: https://svnweb.freebsd.org/changeset/ports/544857

Log:
  mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.11.3 and 0.5.11, repectively.

  dovecot changelog:
  * CVE-2020-12100: Parsing mails with a large number of MIME parts could
    have resulted in excessive CPU usage or a crash due to running out of
    stack memory.
  * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
    message buffer size, which leads to reading past allocation which can
    lead to crash.
  * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
    address that has the empty quoted string as local-part causes the lmtp
    service to crash.
  * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
    zero-length message, which leads to assert-crash later on.
  * Events: Fix inconsistency in events. See event documentation in
    https://doc.dovecot.org.
  * imap_command_finished event's cmd_name field now contains "unknown"
    for unknown commands. A new "cmd_input_name" field contains the
    command name exactly as it was sent.
  * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
    Note that these settings are mainly intended for testing and usually
    shouldn't be changed.
  * events: Renamed "index" event category to "mail-index".
  * events: service:<name> category is now using the name from
    configuration file.
  * dns-client: service dns_client was renamed to dns-client.
  * log: Prefixes generally use the service name from configuration file.
    For example dict-async service will now use
    "dict-async(pid): " log prefix instead of "dict(pid): "
  * *-login: Changed logging done by proxying to use a consistent prefix
    containing the IP address and port.
  * *-login: Changed disconnection log messages to be slightly clearer.
  + dict: Add events for dictionaries.
  + lib-index: Finish logging with events.
  + oauth2: Support local validation of JWT tokens.
  + stats: Add support for dynamic histograms and grouping. See
    https://doc.dovecot.org/configuration_manual/stats/.
  + imap: Implement RFC 8514: IMAP SAVEDATE
  + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
    folder) adds a lot of data to dovecot.index.cache file, commit those
    changes periodically to make them visible to other concurrent sessions
    as well.
  + stats: Add OpenMetrics exporter for statistics. See
    https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
  + stats: Support disabling stats-writer socket by setting
    stats_writer_socket_path="".
  - auth-worker: Process keeps slowly increasing its memory usage and
    eventually dies with "out of memory" due to reaching vsz_limit.
  - auth: Prevent potential timing attacks in authentication secret
    comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
  - auth: Several auth-mechanisms allowed input to be truncated by NUL
    which can potentially lead to unintentional issues or even successful
    logins which should have failed.
  - auth: When auth policy returned a delay, auth_request_finished event
    had policy_result=ok field instead of policy_result=delayed.
  - auth: auth process crash when auth_policy_server_url is set to an
    invalid URL.
  - auth: Lua passdb/userdb leaks stack elements per call, eventually
    causing the stack to become too deep and crashing the auth or
    auth-worker process.
  - dict-ldap: Crash occurs if var_expand template expansion fails.
  - dict: If dict client disconnected while iteration was still running,
    dict process could have started using 100% CPU, although it was still
    handling clients.
  - doveadm: Running doveadm commands via proxying may hang, especially
    when doveadm is printing a lot of output.
  - imap: "MOVE * destfolder" goes to a loop copying the last mail to the
    destination until the imap process dies due to running out of memory.
  - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
    loop.
  - imap: SEARCH doesn't support $.
  - lib-compress: Buffer over-read in zlib stream read.
  - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
    process.
  - lib-index: Fixed several bugs in dovecot.index.cache handling that
    could have caused cached data to be lost.
  - lib-index: Writing to >=1 GB dovecot.index.cache files may cause
    assert-crashes:
    Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
    assertion failed: (offset < 0x40000000)
  - lib-mail: v2.3.11 regression: MIME parts not returned correctly by
    Dovecot MIME parser.
  - lib-ssl-iostream: Fix buggy OpenSSL error handling without
    assert-crashing. If there is no error available, log it as an error
    instead of crashing:
    Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
    assertion failed: (errno != 0)
  - lib-ssl-iostream: ssl_key_password setting did not work.
  - pop3-login: Login didn't handle commands in multiple IP packets properly.
    This mainly affected large XCLIENT commands or a large SASL initial
    response parameter in the AUTH command.
  - pop3: pop3_deleted_flag setting was broken, causing:
    Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
    assertion failed: (range[count-1].seq2 <= max_seq)
  - pop3-login: Login would fail with "Input buffer full" if the initial
    response for SASL was too long.
  - submission: A segfault crash may occur when the client or server
    disconnects while a non-transaction command like NOOP or VRFY is still
    being processed.
  - virtual: Copying/moving mails with IMAP into a virtual folder
  assert-crashes:
    Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
    (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

  pigeonhole changelog:
  * managesieve: managesieve_max_line_length setting is now a "size" type
    instead of just number of bytes. This allows using e.g. "64k" as the
    value.
  - lib-sieve: When folding white space is used in the Message-ID header,
    it is not stripped away correctly before the message ID value is used,
    causing e.g. garbled log lines at delivery.

  PR:		248640
  PR:		248644
  Submitted by:	juraj@lutter.sk
  Reported by:	juraj@lutter.sk
  MFH:		2020Q3
  Security:	87a07de1-e55e-4d51-bb64-8d117829a26a
  Security:	CVE-2020-12100
  Security:	CVE-2020-12673
  Security:	CVE-2020-10967
  Security:	CVE-2020-12674

Changes:
  head/mail/dovecot/Makefile
  head/mail/dovecot/distinfo
  head/mail/dovecot/files/patch-configure
  head/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
  head/mail/dovecot/files/patch-src_lib-master_master-service.c
  head/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
  head/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
  head/mail/dovecot/pkg-plist
  head/mail/dovecot-pigeonhole/Makefile
  head/mail/dovecot-pigeonhole/distinfo
Comment 3 Larry Rosenman freebsd_committer 2020-08-14 00:34:22 UTC
Committed a slightly different version that I was already working on.

Thanks!
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-08-14 02:29:00 UTC
^Triage: Re-open pending MFH
Comment 5 Jochen Neumeister freebsd_committer 2020-08-15 09:52:05 UTC
(In reply to Larry Rosenman from comment #3)


Thanks for the commit.

Please create a vuxml entry for the CVE's, after that it is released for 2020Q3.

Best regards
joneum (ports-secteam)
Comment 6 commit-hook freebsd_committer 2020-08-15 16:06:15 UTC
A commit references this bug:

Author: ler
Date: Sat Aug 15 16:05:37 UTC 2020
New revision: 544950
URL: https://svnweb.freebsd.org/changeset/ports/544950

Log:
  MFH: r544857

  mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.11.3 and 0.5.11, repectively.

  dovecot changelog:
  * CVE-2020-12100: Parsing mails with a large number of MIME parts could
    have resulted in excessive CPU usage or a crash due to running out of
    stack memory.
  * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
    message buffer size, which leads to reading past allocation which can
    lead to crash.
  * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
    address that has the empty quoted string as local-part causes the lmtp
    service to crash.
  * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
    zero-length message, which leads to assert-crash later on.
  * Events: Fix inconsistency in events. See event documentation in
    https://doc.dovecot.org.
  * imap_command_finished event's cmd_name field now contains "unknown"
    for unknown commands. A new "cmd_input_name" field contains the
    command name exactly as it was sent.
  * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
    Note that these settings are mainly intended for testing and usually
    shouldn't be changed.
  * events: Renamed "index" event category to "mail-index".
  * events: service:<name> category is now using the name from
    configuration file.
  * dns-client: service dns_client was renamed to dns-client.
  * log: Prefixes generally use the service name from configuration file.
    For example dict-async service will now use
    "dict-async(pid): " log prefix instead of "dict(pid): "
  * *-login: Changed logging done by proxying to use a consistent prefix
    containing the IP address and port.
  * *-login: Changed disconnection log messages to be slightly clearer.
  + dict: Add events for dictionaries.
  + lib-index: Finish logging with events.
  + oauth2: Support local validation of JWT tokens.
  + stats: Add support for dynamic histograms and grouping. See
    https://doc.dovecot.org/configuration_manual/stats/.
  + imap: Implement RFC 8514: IMAP SAVEDATE
  + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
    folder) adds a lot of data to dovecot.index.cache file, commit those
    changes periodically to make them visible to other concurrent sessions
    as well.
  + stats: Add OpenMetrics exporter for statistics. See
    https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
  + stats: Support disabling stats-writer socket by setting
    stats_writer_socket_path="".
  - auth-worker: Process keeps slowly increasing its memory usage and
    eventually dies with "out of memory" due to reaching vsz_limit.
  - auth: Prevent potential timing attacks in authentication secret
    comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
  - auth: Several auth-mechanisms allowed input to be truncated by NUL
    which can potentially lead to unintentional issues or even successful
    logins which should have failed.
  - auth: When auth policy returned a delay, auth_request_finished event
    had policy_result=ok field instead of policy_result=delayed.
  - auth: auth process crash when auth_policy_server_url is set to an
    invalid URL.
  - auth: Lua passdb/userdb leaks stack elements per call, eventually
    causing the stack to become too deep and crashing the auth or
    auth-worker process.
  - dict-ldap: Crash occurs if var_expand template expansion fails.
  - dict: If dict client disconnected while iteration was still running,
    dict process could have started using 100% CPU, although it was still
    handling clients.
  - doveadm: Running doveadm commands via proxying may hang, especially
    when doveadm is printing a lot of output.
  - imap: "MOVE * destfolder" goes to a loop copying the last mail to the
    destination until the imap process dies due to running out of memory.
  - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
    loop.
  - imap: SEARCH doesn't support $.
  - lib-compress: Buffer over-read in zlib stream read.
  - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
    process.
  - lib-index: Fixed several bugs in dovecot.index.cache handling that
    could have caused cached data to be lost.
  - lib-index: Writing to >=1 GB dovecot.index.cache files may cause
    assert-crashes:
    Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
    assertion failed: (offset < 0x40000000)
  - lib-mail: v2.3.11 regression: MIME parts not returned correctly by
    Dovecot MIME parser.
  - lib-ssl-iostream: Fix buggy OpenSSL error handling without
    assert-crashing. If there is no error available, log it as an error
    instead of crashing:
    Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
    assertion failed: (errno != 0)
  - lib-ssl-iostream: ssl_key_password setting did not work.
  - pop3-login: Login didn't handle commands in multiple IP packets properly.
    This mainly affected large XCLIENT commands or a large SASL initial
    response parameter in the AUTH command.
  - pop3: pop3_deleted_flag setting was broken, causing:
    Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
    assertion failed: (range[count-1].seq2 <= max_seq)
  - pop3-login: Login would fail with "Input buffer full" if the initial
    response for SASL was too long.
  - submission: A segfault crash may occur when the client or server
    disconnects while a non-transaction command like NOOP or VRFY is still
    being processed.
  - virtual: Copying/moving mails with IMAP into a virtual folder
  assert-crashes:
    Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
    (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

  pigeonhole changelog:
  * managesieve: managesieve_max_line_length setting is now a "size" type
    instead of just number of bytes. This allows using e.g. "64k" as the
    value.
  - lib-sieve: When folding white space is used in the Message-ID header,
    it is not stripped away correctly before the message ID value is used,
    causing e.g. garbled log lines at delivery.

  PR:		248640
  PR:		248644
  Submitted by:	juraj@lutter.sk
  Reported by:	juraj@lutter.sk
  Security:	87a07de1-e55e-4d51-bb64-8d117829a26a
  Security:	CVE-2020-12100
  Security:	CVE-2020-12673
  Security:	CVE-2020-10967
  Security:	CVE-2020-12674

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/mail/dovecot/Makefile
  branches/2020Q3/mail/dovecot/distinfo
  branches/2020Q3/mail/dovecot/files/patch-configure
  branches/2020Q3/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
  branches/2020Q3/mail/dovecot/files/patch-src_lib-master_master-service.c
  branches/2020Q3/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
  branches/2020Q3/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
  branches/2020Q3/mail/dovecot/pkg-plist
  branches/2020Q3/mail/dovecot-pigeonhole/Makefile
  branches/2020Q3/mail/dovecot-pigeonhole/distinfo
Comment 7 Larry Rosenman freebsd_committer 2020-08-15 16:09:21 UTC
MFH complete.