diff options
| author | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 21:18:07 -0300 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 21:24:12 -0300 |
| commit | 21650367c747c2e554c7548118f07e6133e02cdb (patch) | |
| tree | 6c0986b2b56e0b2c59c49faffb6be465eb360dba | |
| parent | 675ce583181fb5b5f20767fd8b435d80fdc1dd16 (diff) | |
main/dovecot: fix CVE-2020-12673 and CVE-2020-12674
Partial Fix for #11843
| -rw-r--r-- | main/dovecot/APKBUILD | 9 | ||||
| -rw-r--r-- | main/dovecot/CVE-2020-12673.patch | 31 | ||||
| -rw-r--r-- | main/dovecot/CVE-2020-12674.patch | 22 |
3 files changed, 61 insertions, 1 deletions
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD index 3d7caebb5a0..3ca3451bfca 100644 --- a/main/dovecot/APKBUILD +++ b/main/dovecot/APKBUILD @@ -6,7 +6,7 @@ pkgname=dovecot pkgver=2.3.10.1 _pkgvermajor=2.3 -pkgrel=0 +pkgrel=1 _pigeonholever=0.5.10 _pigeonholevermajor=${_pigeonholever%.*} pkgdesc="IMAP and POP3 server" @@ -61,6 +61,8 @@ source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz skip-iconv-check.patch split-protocols.patch default-config.patch + CVE-2020-12673.patch + CVE-2020-12674.patch dovecot.logrotate dovecot.initd " @@ -68,6 +70,9 @@ builddir="$srcdir/$pkgname-$pkgver" _builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever" # secfixes: +# 2.3.10.1-r1: +# - CVE-2020-12673 +# - CVE-2020-12674 # 2.3.10.1-r0: # - CVE-2020-10957 # - CVE-2020-10958 @@ -314,5 +319,7 @@ f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch 794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch 0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch +54d5b1bfbc9fcdc00a5c943420bcbbfc8f0107ab2ff160ef0b2f73093a23766e0fcdb4cfc7944def40526414f97aff818cac6bdec155a6f3962f477b210a8ed5 CVE-2020-12673.patch +3599ca53dff1234dcea483006a82ec7276c1feee8df4f1df50f0b080202e351dd34e011af1bbdbdce1d9db54761beb0890b0be6e4ce7ed86e62513896c072e0c CVE-2020-12674.patch 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd" diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch new file mode 100644 index 00000000000..9dd26e0350f --- /dev/null +++ b/main/dovecot/CVE-2020-12673.patch @@ -0,0 +1,31 @@ +From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c +index 160b9f918c..a29413b47e 100644 +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer, + if (length == 0 && space == 0) + return TRUE; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return FALSE; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return FALSE; diff --git a/main/dovecot/CVE-2020-12674.patch b/main/dovecot/CVE-2020-12674.patch new file mode 100644 index 00000000000..a9dca2a82dd --- /dev/null +++ b/main/dovecot/CVE-2020-12674.patch @@ -0,0 +1,22 @@ +From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); |