From b904f3e24d68cfc88905082a3f53ae385c112b0f Mon Sep 17 00:00:00 2001
From: Juergen Daubert <jue@jue.li>
Date: Fri, 2 Feb 2018 17:26:48 +0100
Subject: [PATCH] dovecot: add another patch for CVE-2017-15132

---
 dovecot/.md5sum                |  1 +
 dovecot/.signature             |  5 +--
 dovecot/CVE-2017-15132-1.patch | 57 ++++++++++++++++++++++++++++++++++
 dovecot/Pkgfile                |  5 +--
 4 files changed, 64 insertions(+), 4 deletions(-)
 create mode 100644 dovecot/CVE-2017-15132-1.patch

diff --git a/dovecot/.md5sum b/dovecot/.md5sum
index 2e2132e60..3b4936f51 100644
--- a/dovecot/.md5sum
+++ b/dovecot/.md5sum
@@ -1,3 +1,4 @@
+a1a5efc13766e3b2d0a154e9716f0f7a  CVE-2017-15132-1.patch
 f043e0bb2773cd38f74ada8c164524a6  CVE-2017-15132.patch
 ec342928dd97131f82dba41546741b5f  dovecot
 a8802617ddf68972f5f97bd8677e5856  dovecot-2.3.0.tar.gz
diff --git a/dovecot/.signature b/dovecot/.signature
index ccfd224cd..c9707c0a1 100644
--- a/dovecot/.signature
+++ b/dovecot/.signature
@@ -1,8 +1,9 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/SihfglHd/nyxWOIuJQMl+JGBQBCDkigF+pqp87P7EyBt9dC8e7bvYN/L5VAH5T1yYeOkiDQPNnRAogyCZk8qww=
-SHA256 (Pkgfile) = 0bedafa60b3e7d7db93c113f28760308b77cdda87756884c0bf391f2b02c6a05
+RWSE3ohX2g5d/SkROei+JVsseDKn6SIUNsjxW4JVhAKiDa6r4HZW5ka8HbQjpy6OBAAyHGpg/+/NM5m9pchHJcjlYyFH2k1VXQs=
+SHA256 (Pkgfile) = f325affa0506d8e0a7f7ac40e81503af99fa2ee54a3a8c38a76205de6e8e396b
 SHA256 (.footprint) = d464c6eb14ad58ab166c901d6c1a6f66a010f3e934f3b1645a9cd20d24663b4b
 SHA256 (dovecot-2.3.0.tar.gz) = de60cb470d025e4dd0f8e8fbbb4b9316dfd4930eb949d307330669ffbeaf8581
 SHA256 (CVE-2017-15132.patch) = ddbfdb187e1e763aa10364e57ed82bd37d264d66ed01559a7dbdeccb9f41e91f
+SHA256 (CVE-2017-15132-1.patch) = 480980136322c3361ab334346218504397668df49d66afef0bca70b7e4d40fae
 SHA256 (dovecot-config.patch) = a6f09e637f1ac15368d2d18736dc353e4a188959c5940dedd5306b689156e91c
 SHA256 (dovecot) = ead06d36290cca8be6be350f2c05edf53a4e9ce8aec5d5d663b1162ae96c17c7
diff --git a/dovecot/CVE-2017-15132-1.patch b/dovecot/CVE-2017-15132-1.patch
new file mode 100644
index 000000000..b1d8b4923
--- /dev/null
+++ b/dovecot/CVE-2017-15132-1.patch
@@ -0,0 +1,57 @@
+From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@dovecot.fi>
+Date: Fri, 26 Jan 2018 10:55:54 +0200
+Subject: [PATCH] lib-auth: Remove request after abort
+
+Otherwise the request will still stay in hash table
+and get dereferenced when all requests are aborted
+causing an attempt to access free'd memory.
+
+Found by Apollon Oikonomopoulos <apoikos@debian.org>
+
+Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
+---
+ src/lib-auth/auth-client-request.c    | 2 ++
+ src/lib-auth/auth-server-connection.c | 7 +++++++
+ src/lib-auth/auth-server-connection.h | 2 ++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
+index 046f7c307d..f6d0290a13 100644
+--- a/src/lib-auth/auth-client-request.c
++++ b/src/lib-auth/auth-client-request.c
+@@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
+ 
+ 	auth_client_send_cancel(request->conn->client, request->id);
+ 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
++	/* remove the request */
++	auth_server_connection_remove_request(request->conn, request->id);
+ 	pool_unref(&request->pool);
+ }
+ 
+diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
+index 9d65450fb3..7eea061cad 100644
+--- a/src/lib-auth/auth-server-connection.c
++++ b/src/lib-auth/auth-server-connection.c
+@@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
+ 	hash_table_insert(conn->requests, POINTER_CAST(id), request);
+ 	return id;
+ }
++
++void auth_server_connection_remove_request(struct auth_server_connection *conn,
++					   unsigned int id)
++{
++	i_assert(conn->handshake_received);
++	hash_table_remove(conn->requests, POINTER_CAST(id));
++}
+diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
+index 179b5dbd4c..c2c533a41d 100644
+--- a/src/lib-auth/auth-server-connection.h
++++ b/src/lib-auth/auth-server-connection.h
+@@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
+ unsigned int
+ auth_server_connection_add_request(struct auth_server_connection *conn,
+ 				   struct auth_client_request *request);
++void auth_server_connection_remove_request(struct auth_server_connection *conn,
++					   unsigned int id);
+ #endif
diff --git a/dovecot/Pkgfile b/dovecot/Pkgfile
index 32789e7e8..a9f4f109e 100644
--- a/dovecot/Pkgfile
+++ b/dovecot/Pkgfile
@@ -5,15 +5,16 @@
 
 name=dovecot
 version=2.3.0
-release=2
+release=3
 source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz
-        CVE-2017-15132.patch
+        CVE-2017-15132.patch CVE-2017-15132-1.patch
         dovecot-config.patch dovecot)
 
 build () {
     cd $name-ce-$version
 
     patch -p1 -i $SRC/CVE-2017-15132.patch
+    patch -p1 -i $SRC/CVE-2017-15132-1.patch
     patch -p1 -i $SRC/$name-config.patch
 
     ./configure --prefix=/usr \