[dovecot/f16] do not crash during mail search (CVE-2012-5620)

Tue Dec 4 10:10:24 UTC 2012

commit f8569d8bc835f8bbe9072fc75497372dcc678a8d
Author: Michal Hlavinka <mhlavink at redhat.com>
Date:   Tue Dec 4 11:10:18 2012 +0100

    do not crash during mail search (CVE-2012-5620)

 dovecot-2.0-hg13d764bbde11.patch |  101 ++++++++++++++++++++++++++++++++++++++
 dovecot.spec                     |    9 +++-
 2 files changed, 109 insertions(+), 1 deletions(-)
---

diff --git a/dovecot-2.0-hg13d764bbde11.patch b/dovecot-2.0-hg13d764bbde11.patch
new file mode 100644
index 0000000..51818a3
--- /dev/null
+++ b/dovecot-2.0-hg13d764bbde11.patch
@@ -0,0 +1,101 @@
+
+# HG changeset patch
+# User Timo Sirainen <tss at iki.fi>
+# Date 1349385902 -10800
+# Node ID 13d764bbde11dfe30a7a7ffab3b26f6b3c0c3050
+# Parent  4c27b241888230c9f7181062352fc3049dfe29f5
+lib-storage: Don't crash when searching multiple keywords.
+Fixed by simply removing the keyword merging code.
+mail_search_args_simplify() is called before mail_search_args_init(), so the
+keywords are still NULL and merging can't be done. Alternative fix would
+have been to add string array to mail_search_arg.value containing the
+keywords, but all of this is a pretty unnecessary optimization.
+
+diff -r 4c27b2418882 -r 13d764bbde11 src/lib-storage/mail-search.c
+--- a/src/lib-storage/mail-search.c	Tue Sep 04 20:27:10 2012 +0300
++++ b/src/lib-storage/mail-search.c	Fri Oct 05 00:25:02 2012 +0300
+@@ -592,48 +592,14 @@
+ 	return TRUE;
+ }
+ 
+-static struct mail_keywords *
+-mail_search_keywords_merge(struct mailbox *box,
+-			   struct mail_keywords **_kw1,
+-			   struct mail_keywords **_kw2)
+-{
+-	struct mail_keywords *kw1 = *_kw1, *kw2 = *_kw2;
+-	struct mail_keywords *new_kw;
+-
+-	i_assert(kw1->index == kw2->index);
+-	T_BEGIN {
+-		ARRAY_TYPE(keyword_indexes) new_indexes;
+-		unsigned int i, j;
+-
+-		t_array_init(&new_indexes, kw1->count + kw2->count + 1);
+-		array_append(&new_indexes, kw1->idx, kw1->count);
+-		for (i = 0; i < kw2->count; i++) {
+-			/* don't add duplicates */
+-			for (j = 0; j < kw1->count; j++) {
+-				if (kw1->idx[j] == kw2->idx[i])
+-					break;
+-			}
+-			if (j == kw1->count)
+-				array_append(&new_indexes, kw2->idx+i, 1);
+-		}
+-		new_kw = mailbox_keywords_create_from_indexes(box,
+-							      &new_indexes);
+-	} T_END;
+-	mailbox_keywords_unref(box, _kw1);
+-	mailbox_keywords_unref(box, _kw2);
+-	return new_kw;
+-}
+-
+ static void
+ mail_search_args_simplify_sub(struct mailbox *box,
+ 			      struct mail_search_arg *args, bool parent_and)
+ {
+ 	struct mail_search_arg *sub, *prev = NULL;
+ 	struct mail_search_arg *prev_flags_arg, *prev_not_flags_arg;
+-	struct mail_search_arg *prev_kw_arg, *prev_not_kw_arg;
+ 
+ 	prev_flags_arg = prev_not_flags_arg = NULL;
+-	prev_kw_arg = prev_not_kw_arg = NULL;
+ 	while (args != NULL) {
+ 		if (args->not && (args->type == SEARCH_SUB ||
+ 				  args->type == SEARCH_OR)) {
+@@ -694,34 +660,6 @@
+ 			}
+ 		}
+ 
+-		/* merge all keywords arguments */
+-		if (args->type == SEARCH_KEYWORDS && !args->not && parent_and) {
+-			if (prev_kw_arg == NULL)
+-				prev_kw_arg = args;
+-			else {
+-				prev_kw_arg->value.keywords =
+-					mail_search_keywords_merge(box,
+-						&prev_kw_arg->value.keywords,
+-						&args->value.keywords);
+-				prev->next = args->next;
+-				args = args->next;
+-				continue;
+-			}
+-		} else if (args->type == SEARCH_KEYWORDS && args->not &&
+-			   !parent_and) {
+-			if (prev_not_kw_arg == NULL)
+-				prev_not_kw_arg = args;
+-			else {
+-				prev_not_kw_arg->value.keywords =
+-					mail_search_keywords_merge(box,
+-					       &prev_not_kw_arg->value.keywords,
+-					       &args->value.keywords);
+-				prev->next = args->next;
+-				args = args->next;
+-				continue;
+-			}
+-		}
+-
+ 		prev = args;
+ 		args = args->next;
+ 	}
+
diff --git a/dovecot.spec b/dovecot.spec
index 59fa2f1..f1a9f22 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -2,7 +2,7 @@ Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
 Version: 2.0.21
-Release: 3%{?dist}
+Release: 4%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 Group: System Environment/Daemons
@@ -32,6 +32,9 @@ Patch5: dovecot-2.1.10-reload.patch
 Patch6: dovecot-2.1.10-waitonline.patch
 Source15: prestartscript
 
+#CVE-2012-5620
+Patch7: dovecot-2.0-hg13d764bbde11.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
 BuildRequires: libtool, autoconf, automake, pkgconfig
@@ -116,6 +119,7 @@ This package provides the development files for dovecot.
 %patch4 -p1 -b .postreleasefixes
 %patch5 -p1 -b .reload
 %patch6 -p1 -b .waitonline
+%patch7 -p1 -b .hg13d764bbde11
 
 %build
 #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
@@ -415,6 +419,9 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Tue Dec 04 2012 Michal Hlavinka <mhlavink at redhat.com> - 1:2.0.21-4
+- do not crash during mail search (CVE-2012-5620)
+
 * Mon Nov 12 2012 Michal Hlavinka <mhlavink at redhat.com> - 1:2.0.21-3
 - fix network still not ready race condition (#871623)
 
