main/dovecot: fix CVE-2020-12673 and CVE-2020-12674

Partial Fix for #11843
author: Leo <thinkabit.ukim@gmail.com> 2020-12-10 21:18:07 -0300
committer: Leo <thinkabit.ukim@gmail.com> 2020-12-10 21:19:08 -0300
commit: 3ac49c86bad5d4e10aa5fe6d1621d86a0b335824 (patch)
tree: f89ae2846505a29a9b813152bf4649af07717faf /main
parent: e44a90b1e6c3308e5cbedaf5e3c8fb1b10882316 (diff)
3 files changed, 61 insertions, 1 deletions
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index faee15a14db..545416837e0 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -6,7 +6,7 @@
 pkgname=dovecot
 pkgver=2.3.10.1
 _pkgvermajor=2.3
-pkgrel=0
+pkgrel=1
 _pigeonholever=0.5.10
 _pigeonholevermajor=${_pigeonholever%.*}
 pkgdesc="IMAP and POP3 server"
@@ -62,6 +62,8 @@ source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz
 	skip-iconv-check.patch
 	split-protocols.patch
 	default-config.patch
+	CVE-2020-12673.patch
+	CVE-2020-12674.patch
 	dovecot.logrotate
 	dovecot.initd
 	"
@@ -69,6 +71,9 @@ builddir="$srcdir/$pkgname-$pkgver"
 _builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever"
 
 # secfixes:
+#   2.3.10.1-r1:
+#     - CVE-2020-12673
+#     - CVE-2020-12674
 #   2.3.10.1-r0:
 #     - CVE-2020-10957
 #     - CVE-2020-10958
@@ -315,5 +320,7 @@ f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad
 fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a  skip-iconv-check.patch
 794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5  split-protocols.patch
 0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07  default-config.patch
+54d5b1bfbc9fcdc00a5c943420bcbbfc8f0107ab2ff160ef0b2f73093a23766e0fcdb4cfc7944def40526414f97aff818cac6bdec155a6f3962f477b210a8ed5  CVE-2020-12673.patch
+3599ca53dff1234dcea483006a82ec7276c1feee8df4f1df50f0b080202e351dd34e011af1bbdbdce1d9db54761beb0890b0be6e4ce7ed86e62513896c072e0c  CVE-2020-12674.patch
 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0  dovecot.logrotate
 d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70  dovecot.initd"
diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch
new file mode 100644
index 00000000000..9dd26e0350f
--- /dev/null
+++ b/main/dovecot/CVE-2020-12673.patch
@@ -0,0 +1,31 @@
+From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Mon, 18 May 2020 12:33:39 +0300
+Subject: [PATCH] lib-ntlm: Check buffer length on responses
+
+Add missing check for buffer length.
+
+If this is not checked, it is possible to send message which
+causes read past buffer bug.
+
+Broken in c7480644202e5451fbed448508ea29a25cffc99c
+---
+ src/lib-ntlm/ntlm-message.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
+index 160b9f918c..a29413b47e 100644
+--- a/src/lib-ntlm/ntlm-message.c
++++ b/src/lib-ntlm/ntlm-message.c
+@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
+ 	if (length == 0 && space == 0)
+ 		return TRUE;
+ 
++	if (length > data_size) {
++		*error = "buffer length out of bounds";
++		return FALSE;
++	}
++
+ 	if (offset >= data_size) {
+ 		*error = "buffer offset out of bounds";
+ 		return FALSE;
diff --git a/main/dovecot/CVE-2020-12674.patch b/main/dovecot/CVE-2020-12674.patch
new file mode 100644
index 00000000000..a9dca2a82dd
--- /dev/null
+++ b/main/dovecot/CVE-2020-12674.patch
@@ -0,0 +1,22 @@
+From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Wed, 6 May 2020 13:40:36 +0300
+Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer
+
+---
+ src/auth/mech-rpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
+index 08298ebdd6..2de8705b4f 100644
+--- a/src/auth/mech-rpa.c
++++ b/src/auth/mech-rpa.c
+@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
+ 		return 0;
+ 
+ 	len = *p++;
+-	if (p + len > end)
++	if (p + len > end || len == 0)
+ 		return 0;
+ 
+ 	*buffer = p_malloc(pool, len);
author	Leo <thinkabit.ukim@gmail.com>	2020-12-10 21:18:07 -0300
committer	Leo <thinkabit.ukim@gmail.com>	2020-12-10 21:19:08 -0300
commit	3ac49c86bad5d4e10aa5fe6d1621d86a0b335824 (patch)
tree	f89ae2846505a29a9b813152bf4649af07717faf /main
parent	e44a90b1e6c3308e5cbedaf5e3c8fb1b10882316 (diff)