From 58c7d3ff17a6e39110702acd69b81f12fab4c029 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 4 Jan 2021 17:35:06 +0100 Subject: [PATCH 1/4] dovecot: 2.3.11.3 -> 2.3.13 This fixes CVE_2020-24386, CVE-2020-25725 and a bunch of regular bugs [1]. * CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. * CVE-2020-25275: Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100. [1] https://raw.githubusercontent.com/dovecot/core/2.3.13/NEWS --- pkgs/servers/mail/dovecot/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/mail/dovecot/default.nix b/pkgs/servers/mail/dovecot/default.nix index 1a11e065d93..3e566f8aa5f 100644 --- a/pkgs/servers/mail/dovecot/default.nix +++ b/pkgs/servers/mail/dovecot/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { pname = "dovecot"; - version = "2.3.11.3"; + version = "2.3.13"; nativeBuildInputs = [ perl pkgconfig ]; buildInputs = @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://dovecot.org/releases/2.3/${pname}-${version}.tar.gz"; - sha256 = "1p5gp8jbavcsaara5mfn5cbrnlxssajnchczbgmmfzr7228fmnfk"; + sha256 = "1i7ijss79a23v7b6lycfzaa8r5rh01k0h0b9h0j4a6n11sw7by53"; }; enableParallelBuilding = true; From 4fee20e267be4f5758401c98098a20f1c146530d Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 4 Jan 2021 17:45:28 +0100 Subject: [PATCH 2/4] dovecot: add the dovecot NixOS test to passthru.tests While we already had some test we might as well add the test for that exact package to the tests attribute set. After all that should be what (primarily) tests dovecot. --- pkgs/servers/mail/dovecot/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/servers/mail/dovecot/default.nix b/pkgs/servers/mail/dovecot/default.nix index 3e566f8aa5f..8d39c01478f 100644 --- a/pkgs/servers/mail/dovecot/default.nix +++ b/pkgs/servers/mail/dovecot/default.nix @@ -89,5 +89,6 @@ stdenv.mkDerivation rec { }; passthru.tests = { opensmtpd-interaction = nixosTests.opensmtpd; + inherit (nixosTests) dovecot; }; } From bedb3528b6509af96d029cc4b08584800cb93ef1 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 4 Jan 2021 17:59:57 +0100 Subject: [PATCH 3/4] dovecot_pigeonhole: 0.5.11 -> 0.5.13 This updates to the latest version. According to the changelog 0.5.12 was skipped. The changes in this release are required to be compatible with the latest dovecot release. Changes: - duplicate: The test was handled badly in a multiscript (sieve_before, sieve_after) scenario in which an earlier script in the sequence with a duplicate test succeeded, while a later script caused a runtime failure. In that case, the message is recorded for duplicate tracking, while the message may not actually have been delivered in the end. - editheader: Sieve interpreter entered infinite loop at startup when the "editheader" configuration listed an invalid header name. This problem can only be triggered by the administrator. - relational: The Sieve relational extension can cause a segfault at compile time. This is triggered by invalid script syntax. The segfault happens when this match type is the last argument of the test command. This situation is not possible in a valid script; positional arguments are normally present after that, which would prevent the segfault. - sieve: For some Sieve commands the provided mailbox name is not properly checked for UTF-8 validity, which can cause assert crashes at runtime when an invalid mailbox name is encountered. This can be caused by the user by writing a bad Sieve script involving the affected commands ("mailboxexists", "specialuse_exists"). This can be triggered by the remote sender only when the user has written a Sieve script that passes message content to one of the affected commands. - sieve: Large sequences of 8-bit octets passed to certain Sieve commands that create or modify message headers that allow UTF-8 text (vacation, notify and addheader) can cause the delivery or IMAP process (when IMAPSieve is used) to enter a memory-consuming semi-infinite loop that ends when the process exceeds its memory limits. Logged in users can cause these hangs only for their own processes. --- pkgs/servers/mail/dovecot/plugins/pigeonhole/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/mail/dovecot/plugins/pigeonhole/default.nix b/pkgs/servers/mail/dovecot/plugins/pigeonhole/default.nix index 5c01453cb27..a65bc28ec40 100644 --- a/pkgs/servers/mail/dovecot/plugins/pigeonhole/default.nix +++ b/pkgs/servers/mail/dovecot/plugins/pigeonhole/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "dovecot-pigeonhole"; - version = "0.5.11"; + version = "0.5.13"; src = fetchurl { url = "https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-${version}.tar.gz"; - sha256 = "1w5mryv6izh1gv7davnl94rb0pvh5bxl2bydzbfla1b83x22m5qb"; + sha256 = "05xz2d82ck6lmv94nbc3qff09j8b60a5640i3fmqwqsvv9kfa7wi"; }; buildInputs = [ dovecot openssl ]; From 653f805f098de519f0204e1eed00b26e80d03ce2 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 4 Jan 2021 18:01:09 +0100 Subject: [PATCH 4/4] nixos/tests/dovecot: enable dovecot_pigeonhole plugin This plugin is used commonly enough that we should ensure it still builds (and dovecot works) after loading it. This is not yet perfect as we aren't testing any of it's functionality but at least we ensure that dovecot continues to do the regular job. --- nixos/tests/dovecot.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix index bcbe234fd80..1129e3b45d9 100644 --- a/nixos/tests/dovecot.nix +++ b/nixos/tests/dovecot.nix @@ -4,8 +4,11 @@ import ./make-test-python.nix { machine = { pkgs, ... }: { imports = [ common/user-account.nix ]; services.postfix.enable = true; - services.dovecot2.enable = true; - services.dovecot2.protocols = [ "imap" "pop3" ]; + services.dovecot2 = { + enable = true; + protocols = [ "imap" "pop3" ]; + modules = [ pkgs.dovecot_pigeonhole ]; + }; environment.systemPackages = let sendTestMail = pkgs.writeScriptBin "send-testmail" '' #!${pkgs.runtimeShell}