https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-7524: Missing input buffer size validation leads into ????? arbitrary buffer overflow when reading fts or pop3 uidl header ????? from Dovecot index. Exploiting this requires direct write access to ????? the index files. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20190328/2bcc6d1b/attachment.sig>
Hi, Why didn?t you apply this patch to v2.3.5.1? commit df8addd41d87e61113de22a21a0e61506a8d74c2 Author: Stephan Bosch <stephan.bosch at dovecot.fi> Date: Tue Mar 12 03:18:33 2019 +0100 submission-login: client-authenticate - Fix crash occurring when client disconnects during authentication. diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c index 8b5422f833..6b70701a1a 100644 --- a/src/submission-login/client-authenticate.c +++ b/src/submission-login/client-authenticate.c @@ -98,6 +98,9 @@ void submission_client_auth_result(struct client *client, container_of(client, struct submission_client, common); struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth; + if (subm_client->conn == NULL) + return; + subm_client->pending_auth = NULL; i_assert(cmd != NULL); diff --git a/src/submission-login/client.c b/src/submission-login/client.c index 3e45e556c7..212afb92cf 100644 --- a/src/submission-login/client.c +++ b/src/submission-login/client.c @@ -212,6 +212,8 @@ static void client_connection_disconnect(void *context, const char *reason) { struct submission_client *client = context; + client->pending_auth = NULL; + client->pending_starttls = NULL; client_disconnect(&client->common, reason); }> On 28 Mar 2019, at 08:41, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > > https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz > https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig > Binary packages in https://repo.dovecot.org/ > > * CVE-2019-7524: Missing input buffer size validation leads into > arbitrary buffer overflow when reading fts or pop3 uidl header > from Dovecot index. Exploiting this requires direct write access to > the index files. > > --- > Aki Tuomi > Open-Xchange oy >
2.3.5.1 was only for releasing CVE. We have decided not to add non-related fixes into patch releases containing CVE releases for clarity. Aki On 28.3.2019 13.57, Marcelo Coelho via dovecot wrote:> Hi, > > Why didn?t you apply this patch to v2.3.5.1? > > > commit df8addd41d87e61113de22a21a0e61506a8d74c2 > Author: Stephan Bosch <stephan.bosch at dovecot.fi> > Date: Tue Mar 12 03:18:33 2019 +0100 > > submission-login: client-authenticate - Fix crash occurring when client disconnects during authentication. > > diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c > index 8b5422f833..6b70701a1a 100644 > --- a/src/submission-login/client-authenticate.c > +++ b/src/submission-login/client-authenticate.c > @@ -98,6 +98,9 @@ void submission_client_auth_result(struct client *client, > container_of(client, struct submission_client, common); > struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth; > > + if (subm_client->conn == NULL) > + return; > + > subm_client->pending_auth = NULL; > i_assert(cmd != NULL); > > diff --git a/src/submission-login/client.c b/src/submission-login/client.c > index 3e45e556c7..212afb92cf 100644 > --- a/src/submission-login/client.c > +++ b/src/submission-login/client.c > @@ -212,6 +212,8 @@ static void client_connection_disconnect(void *context, const char *reason) > { > struct submission_client *client = context; > > + client->pending_auth = NULL; > + client->pending_starttls = NULL; > client_disconnect(&client->common, reason); > } > > >> On 28 Mar 2019, at 08:41, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: >> >> https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz >> https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig >> Binary packages in https://repo.dovecot.org/ >> >> * CVE-2019-7524: Missing input buffer size validation leads into >> arbitrary buffer overflow when reading fts or pop3 uidl header >> from Dovecot index. Exploiting this requires direct write access to >> the index files. >> >> --- >> Aki Tuomi >> Open-Xchange oy >>