dovecot: add another patch for CVE-2017-15132

This commit is contained in:
Juergen Daubert 2018-02-02 17:26:48 +01:00
parent 3ea797e65e
commit b904f3e24d
4 changed files with 64 additions and 4 deletions

@ -1,3 +1,4 @@
a1a5efc13766e3b2d0a154e9716f0f7a CVE-2017-15132-1.patch
f043e0bb2773cd38f74ada8c164524a6 CVE-2017-15132.patch
ec342928dd97131f82dba41546741b5f dovecot
a8802617ddf68972f5f97bd8677e5856 dovecot-2.3.0.tar.gz

@ -1,8 +1,9 @@
untrusted comment: verify with /etc/ports/opt.pub
RWSE3ohX2g5d/SihfglHd/nyxWOIuJQMl+JGBQBCDkigF+pqp87P7EyBt9dC8e7bvYN/L5VAH5T1yYeOkiDQPNnRAogyCZk8qww=
SHA256 (Pkgfile) = 0bedafa60b3e7d7db93c113f28760308b77cdda87756884c0bf391f2b02c6a05
RWSE3ohX2g5d/SkROei+JVsseDKn6SIUNsjxW4JVhAKiDa6r4HZW5ka8HbQjpy6OBAAyHGpg/+/NM5m9pchHJcjlYyFH2k1VXQs=
SHA256 (Pkgfile) = f325affa0506d8e0a7f7ac40e81503af99fa2ee54a3a8c38a76205de6e8e396b
SHA256 (.footprint) = d464c6eb14ad58ab166c901d6c1a6f66a010f3e934f3b1645a9cd20d24663b4b
SHA256 (dovecot-2.3.0.tar.gz) = de60cb470d025e4dd0f8e8fbbb4b9316dfd4930eb949d307330669ffbeaf8581
SHA256 (CVE-2017-15132.patch) = ddbfdb187e1e763aa10364e57ed82bd37d264d66ed01559a7dbdeccb9f41e91f
SHA256 (CVE-2017-15132-1.patch) = 480980136322c3361ab334346218504397668df49d66afef0bca70b7e4d40fae
SHA256 (dovecot-config.patch) = a6f09e637f1ac15368d2d18736dc353e4a188959c5940dedd5306b689156e91c
SHA256 (dovecot) = ead06d36290cca8be6be350f2c05edf53a4e9ce8aec5d5d663b1162ae96c17c7

@ -0,0 +1,57 @@
From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Fri, 26 Jan 2018 10:55:54 +0200
Subject: [PATCH] lib-auth: Remove request after abort
Otherwise the request will still stay in hash table
and get dereferenced when all requests are aborted
causing an attempt to access free'd memory.
Found by Apollon Oikonomopoulos <apoikos@debian.org>
Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
---
src/lib-auth/auth-client-request.c | 2 ++
src/lib-auth/auth-server-connection.c | 7 +++++++
src/lib-auth/auth-server-connection.h | 2 ++
3 files changed, 11 insertions(+)
diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
index 046f7c307d..f6d0290a13 100644
--- a/src/lib-auth/auth-client-request.c
+++ b/src/lib-auth/auth-client-request.c
@@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
auth_client_send_cancel(request->conn->client, request->id);
call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
+ /* remove the request */
+ auth_server_connection_remove_request(request->conn, request->id);
pool_unref(&request->pool);
}
diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
index 9d65450fb3..7eea061cad 100644
--- a/src/lib-auth/auth-server-connection.c
+++ b/src/lib-auth/auth-server-connection.c
@@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
hash_table_insert(conn->requests, POINTER_CAST(id), request);
return id;
}
+
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+ unsigned int id)
+{
+ i_assert(conn->handshake_received);
+ hash_table_remove(conn->requests, POINTER_CAST(id));
+}
diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
index 179b5dbd4c..c2c533a41d 100644
--- a/src/lib-auth/auth-server-connection.h
+++ b/src/lib-auth/auth-server-connection.h
@@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
unsigned int
auth_server_connection_add_request(struct auth_server_connection *conn,
struct auth_client_request *request);
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+ unsigned int id);
#endif

@ -5,15 +5,16 @@
name=dovecot
version=2.3.0
release=2
release=3
source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz
CVE-2017-15132.patch
CVE-2017-15132.patch CVE-2017-15132-1.patch
dovecot-config.patch dovecot)
build () {
cd $name-ce-$version
patch -p1 -i $SRC/CVE-2017-15132.patch
patch -p1 -i $SRC/CVE-2017-15132-1.patch
patch -p1 -i $SRC/$name-config.patch
./configure --prefix=/usr \