Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dovecot24 for openSUSE:Factory checked in at 2025-12-24 13:16:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot24 (Old) and /work/SRC/openSUSE:Factory/.dovecot24.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot24" Wed Dec 24 13:16:02 2025 rev:14 rq:1324249 version:2.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot24/dovecot24.changes 2025-10-29 21:09:32.693909663 +0100 +++ /work/SRC/openSUSE:Factory/.dovecot24.new.1928/dovecot24.changes 2025-12-24 13:17:16.096829464 +0100 @@ -1,0 +2,19 @@ +Tue Dec 23 08:21:20 UTC 2025 - Marcus Rueckert <[email protected]> + +- While we are at it backport some fixes for the authentication + stack, after recommendation from upstream: + 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch + 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch + 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch + 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch + +------------------------------------------------------------------- +Tue Dec 23 08:11:59 UTC 2025 - Marcus Rueckert <[email protected]> + +- backport patches to fix sieve regex support after the switch to + pcre2 + 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch + 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch + 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch + +- ------------------------------------------------------------------ New: ---- 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch ----------(New B)---------- New: stack, after recommendation from upstream: 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch New: pcre2 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch New: 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch New: 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch New: 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch New: 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch New: 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot24.spec ++++++ --- /var/tmp/diff_new_pack.fDYh7Z/_old 2025-12-24 13:17:17.288878709 +0100 +++ /var/tmp/diff_new_pack.fDYh7Z/_new 2025-12-24 13:17:17.288878709 +0100 @@ -64,6 +64,13 @@ Patch2: dovecot-2.3.17-env_script_interpreter.patch Patch3: dovecot24-32bit-1.patch Patch4: dovecot24-32bit-2.patch +Patch11: 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch +Patch12: 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch +Patch13: 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch +Patch14: 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch +Patch15: 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch +Patch16: 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch +Patch17: 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison ++++++ 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch ++++++ >From d8e6aeb7c11d9d41ddc5f1058571e694e724b114 Mon Sep 17 00:00:00 2001 From: Marco Bettini <[email protected]> Date: Wed, 26 Nov 2025 17:35:58 +0000 Subject: [PATCH 1/4] auth: Fix dashes to underscores in driver names in filters Tbis is required specifically for passwd-file driver defaults to be properly picked up under the filter name passdb_passwd_filter, instead than passdb_passwd-filter --- src/auth/auth-common.h | 5 +++++ src/auth/auth-request.c | 4 ++-- src/auth/auth.c | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/auth/auth-common.h b/src/auth/auth-common.h index f6b6aa9446..62e662f737 100644 --- a/src/auth/auth-common.h +++ b/src/auth/auth-common.h @@ -15,4 +15,9 @@ void auth_refresh_proctitle(void); void auth_worker_refresh_proctitle(const char *state); void auth_module_load(const char *name); +static inline const char *auth_driver_filter(const char *prefix, const char *driver) +{ + return t_strconcat(prefix, "_", t_str_replace(driver, '-', '_'), NULL); +} + #endif diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index 7af85e935c..d57fc4d16e 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -632,7 +632,7 @@ void auth_request_passdb_lookup_begin(struct auth_request *request) const char *passdb_driver = request->passdb->passdb->iface.name; event_add_str(event, "passdb_driver", passdb_driver); settings_event_add_filter_name(event, - t_strconcat("passdb_", passdb_driver, NULL)); + auth_driver_filter("passdb", passdb_driver)); settings_event_add_list_filter_name(event, "passdb", request->passdb->name); event_set_log_prefix_callback(event, FALSE, @@ -702,7 +702,7 @@ void auth_request_userdb_lookup_begin(struct auth_request *request) const char *userdb_driver = request->userdb->userdb->iface->name; event_add_str(event, "userdb_driver", userdb_driver); settings_event_add_filter_name(event, - t_strconcat("userdb_", userdb_driver, NULL)); + auth_driver_filter("userdb", userdb_driver)); settings_event_add_list_filter_name(event, "userdb", request->userdb->name); event_set_log_prefix_callback(event, FALSE, diff --git a/src/auth/auth.c b/src/auth/auth.c index 3486b4c18e..3892ac698a 100644 --- a/src/auth/auth.c +++ b/src/auth/auth.c @@ -83,7 +83,7 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *_set, event_add_str(event, "protocol", auth->protocol); event_add_str(event, "passdb", _set->name); settings_event_add_filter_name(event, - t_strconcat("passdb_", _set->driver, NULL)); + auth_driver_filter("passdb", _set->driver)); settings_event_add_list_filter_name(event, "passdb", _set->name); set = settings_get_or_fatal(event, &auth_passdb_setting_parser_info); @@ -155,7 +155,7 @@ auth_userdb_preinit(struct auth *auth, const struct auth_userdb_settings *_set) event_add_str(event, "protocol", auth->protocol); event_add_str(event, "userdb", _set->name); settings_event_add_filter_name(event, - t_strconcat("userdb_", _set->driver, NULL)); + auth_driver_filter("userdb", _set->driver)); settings_event_add_list_filter_name(event, "userdb", _set->name); if (_set == &userdb_dummy_set) { /* If this is the dummy set do not try to lookup settings. */ -- 2.52.0 ++++++ 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch ++++++ >From d96c98e08ca0d445bd46192829685fbeaf4014d1 Mon Sep 17 00:00:00 2001 From: Aki Tuomi <[email protected]> Date: Mon, 22 Dec 2025 11:04:16 +0200 Subject: [PATCH 1/3] lib-regex: Separate maximum capture groups and match limit These are not related. --- src/lib-regex/regex.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/lib-regex/regex.c b/src/lib-regex/regex.c index e402e6a49d..51e7d6c513 100644 --- a/src/lib-regex/regex.c +++ b/src/lib-regex/regex.c @@ -15,6 +15,7 @@ #define DREGEX_MAX_DEPTH 100 #define DREGEX_MAX_MATCHES 100 +#define DREGEX_MAX_CAPTURE_GROUPS 100 #define DREGEX_MAX_CPU_SECONDS 1 struct dregex_code { @@ -85,7 +86,7 @@ static void dregex_code_init(struct dregex_code *code) #endif /* Set some limits */ - pcre2_set_match_limit(code->mctx, code->max_capture_groups); + pcre2_set_match_limit(code->mctx, DREGEX_MAX_MATCHES); pcre2_set_depth_limit(code->mctx, code->max_depth); } @@ -104,7 +105,7 @@ struct dregex_code *dregex_code_create_params(const struct dregex_params *params static const struct dregex_params default_params = { .max_depth = DREGEX_MAX_DEPTH, .max_cpu_seconds = DREGEX_MAX_CPU_SECONDS, - .max_capture_groups = DREGEX_MAX_MATCHES, + .max_capture_groups = DREGEX_MAX_CAPTURE_GROUPS, }; struct dregex_code *dregex_code_create(void) @@ -337,7 +338,10 @@ int dregex_code_match_groups(struct dregex_code *code, const char *subject, pcre2_match_data *mdata = pcre2_match_data_create_from_pattern(code->pat, code->gctx); ret = dregex_code_match_int(code, subject, mdata, error_r); - if (ret > 1) { + /* Avoid extracting way too many capture groups */ + if (ret > (int)code->max_capture_groups + 1) + ret = handle_error(PCRE2_ERROR_TOO_MANY_CAPTURES, error_r); + else if (ret > 1) { bool skip_empty = HAS_ALL_BITS(code->flags, DREGEX_NO_EMPTY_SUB); /* ret is number of groups */ extract_matches((uint32_t)ret, mdata, skip_empty, groups_r); -- 2.52.0 ++++++ 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch ++++++ >From 929133d81dc5fb9e69640e67728b824098a1bbd3 Mon Sep 17 00:00:00 2001 From: Marco Bettini <[email protected]> Date: Tue, 16 Dec 2025 09:49:16 +0000 Subject: [PATCH 2/4] auth: Fix crypt -> CRYPT in passdb_passwd, passdb_ldap defaults for passdb_default_password_scheme --- src/auth/db-ldap-settings.c | 8 +++++++- src/auth/passdb-passwd.c | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/auth/db-ldap-settings.c b/src/auth/db-ldap-settings.c index d91fd7f4ea..d9d31ff791 100644 --- a/src/auth/db-ldap-settings.c +++ b/src/auth/db-ldap-settings.c @@ -52,9 +52,15 @@ static const struct ldap_settings ldap_default_settings = { }; static const struct setting_keyvalue ldap_default_settings_keyvalue[] = { - { "passdb_ldap/passdb_default_password_scheme", "crypt" }, { "passdb_ldap/passdb_fields_import_all", "no" }, { "userdb_ldap/userdb_fields_import_all", "no" }, + + /* This now now the same as the default passdb_default_password_scheme, + but it needs to be here explicitly as long as settings-history-core.txt + supports dovecot_config_version with + passdb_default_password_scheme=PLAIN default */ + { "passdb_ldap/passdb_default_password_scheme", "CRYPT" }, + { NULL, NULL } }; diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c index 71f5800cf8..12210e6e0e 100644 --- a/src/auth/passdb-passwd.c +++ b/src/auth/passdb-passwd.c @@ -28,8 +28,14 @@ static const struct setting_define auth_passwd_setting_defines[] = { static const struct setting_keyvalue auth_passwd_default_settings_keyvalue[] = { { "passdb_passwd/passdb_use_worker", "yes" }, - { "passdb_passwd/passdb_default_password_scheme", "crypt" }, { "userdb_passwd/userdb_use_worker", "yes" }, + + /* This now now the same as the default passdb_default_password_scheme, + but it needs to be here explicitly as long as settings-history-core.txt + supports dovecot_config_version with + passdb_default_password_scheme=PLAIN default */ + { "passdb_passwd/passdb_default_password_scheme", "CRYPT" }, + { NULL, NULL } }; -- 2.52.0 ++++++ 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch ++++++ >From e704d9c72850684c1b82011c9550adbd4200f0eb Mon Sep 17 00:00:00 2001 From: Aki Tuomi <[email protected]> Date: Mon, 22 Dec 2025 11:05:31 +0200 Subject: [PATCH 2/3] lib-regex: Set DREGEX_MAX_MATCHES to library default --- src/lib-regex/regex.c | 2 +- src/lib-regex/test-regex.c | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/lib-regex/regex.c b/src/lib-regex/regex.c index 51e7d6c513..5ccf9d54be 100644 --- a/src/lib-regex/regex.c +++ b/src/lib-regex/regex.c @@ -14,7 +14,7 @@ #include "pcre2.h" #define DREGEX_MAX_DEPTH 100 -#define DREGEX_MAX_MATCHES 100 +#define DREGEX_MAX_MATCHES 10000000 #define DREGEX_MAX_CAPTURE_GROUPS 100 #define DREGEX_MAX_CPU_SECONDS 1 diff --git a/src/lib-regex/test-regex.c b/src/lib-regex/test-regex.c index 10b393e409..4b68bca2ce 100644 --- a/src/lib-regex/test-regex.c +++ b/src/lib-regex/test-regex.c @@ -158,19 +158,21 @@ static void test_dregex_match(void) "{1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]" "{1}[a-z]{2,3}))$", "thisisabstractly.andtotally.long.email@" - REP10("a") "." REP10("a") "." REP10("a") + REP10(REP10("a") "." REP10("a") "." REP10("a") "." REP10("a")) ".has", - "match limit exceeded", + "matching depth limit exceeded", 0, -1 ), MATCH_CASE_FULL( "(a|a?)+", - REP10("a") REP10("a"), - "match limit exceeded", + REP10(REP10("a") REP10("a") REP10("a")), + "matching depth limit exceeded", 0, -1 ), + /* Live test cases */ + MATCH_CASE("\\[.*PATCH.*\\]", "Subject: Re: [PATCH v2 3/6] arm64: dts: qcom: qcm6490-shift-otter: Ad"), /* IEEE.1003-2.1992 */ MATCH_CASE("me(\\+.*)?@company\\.com", "[email protected]"), -- 2.52.0 ++++++ 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch ++++++ >From 26e6fbff9caff4f14dc41b3dac5b1c2ce08da026 Mon Sep 17 00:00:00 2001 From: Marco Bettini <[email protected]> Date: Tue, 16 Dec 2025 09:47:03 +0000 Subject: [PATCH 3/4] auth: Make the default passdb_static/passdb_default_password_scheme = PLAIN explicit in preperation for the change of the global passdb_default_password_scheme default --- src/auth/auth-settings.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/auth/auth-settings.c b/src/auth/auth-settings.c index fa94044df8..e6fb6a833d 100644 --- a/src/auth/auth-settings.c +++ b/src/auth/auth-settings.c @@ -268,11 +268,17 @@ static const struct auth_static_settings auth_static_default_settings = { .userdb_static_allow_all_users = FALSE, }; +static const struct setting_keyvalue auth_static_default_settings_keyvalue[] = { + { "passdb_static/passdb_default_password_scheme", "PLAIN" }, + { NULL, NULL } +}; + const struct setting_parser_info auth_static_setting_parser_info = { .name = "auth_static", .defines = auth_static_setting_defines, .defaults = &auth_static_default_settings, + .default_settings = auth_static_default_settings_keyvalue, .struct_size = sizeof(struct auth_static_settings), .pool_offset1 = 1 + offsetof(struct auth_static_settings, pool), -- 2.52.0 ++++++ 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch ++++++ >From 7619375c605708414664e351bbab0f084e687e8f Mon Sep 17 00:00:00 2001 From: Aki Tuomi <[email protected]> Date: Mon, 22 Dec 2025 22:01:18 +0200 Subject: [PATCH 3/3] lib-regex: Limit number of capture groups correctly We create at maximum max_capture_groups match groups. --- src/lib-regex/regex.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/lib-regex/regex.c b/src/lib-regex/regex.c index 5ccf9d54be..d48b48adf3 100644 --- a/src/lib-regex/regex.c +++ b/src/lib-regex/regex.c @@ -336,12 +336,9 @@ int dregex_code_match_groups(struct dregex_code *code, const char *subject, T_BEGIN { pcre2_match_data *mdata = - pcre2_match_data_create_from_pattern(code->pat, code->gctx); + pcre2_match_data_create(code->max_capture_groups, code->gctx); ret = dregex_code_match_int(code, subject, mdata, error_r); - /* Avoid extracting way too many capture groups */ - if (ret > (int)code->max_capture_groups + 1) - ret = handle_error(PCRE2_ERROR_TOO_MANY_CAPTURES, error_r); - else if (ret > 1) { + if (ret > 1) { bool skip_empty = HAS_ALL_BITS(code->flags, DREGEX_NO_EMPTY_SUB); /* ret is number of groups */ extract_matches((uint32_t)ret, mdata, skip_empty, groups_r); -- 2.52.0 ++++++ 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch ++++++ >From 5831161b1eb27c78246ffff562a5c5c3eb3bbade Mon Sep 17 00:00:00 2001 From: Marco Bettini <[email protected]> Date: Tue, 9 Dec 2025 09:18:19 +0000 Subject: [PATCH 4/4] auth: Set CRYPT as default passdb_default_password_scheme --- src/auth/auth-settings.c | 2 +- src/lib-settings/settings-history-core.txt | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) Index: core/src/auth/auth-settings.c =================================================================== --- core.orig/src/auth/auth-settings.c +++ core/src/auth/auth-settings.c @@ -136,7 +136,7 @@ static const struct auth_passdb_settings .mechanisms_filter = ARRAY_INIT, .username_filter = "", - .default_password_scheme = "PLAIN", + .default_password_scheme = "CRYPT", .skip = "never:authenticated:unauthenticated", .result_success = "return-ok:return:return-fail:continue:continue-ok:continue-fail", Index: core/src/lib-settings/settings-history-core.txt =================================================================== --- core.orig/src/lib-settings/settings-history-core.txt +++ core/src/lib-settings/settings-history-core.txt @@ -1,3 +1,6 @@ +default passdb_ldap/passdb_default_password_scheme CRYPT 2.4.2 3.2.0 +default passdb_passwd/passdb_default_password_scheme CRYPT 2.4.2 3.2.0 +default passdb_default_password_scheme PLAIN 2.4.2 3.2.0 default mail_attachment_detection_options 2.4.2 3.2.0 default @metric_defaults/proxy/metric auth_successes,auth_failures,login_aborted 2.4.2 3.2.0 default fts_search_read_fallback yes - 3.2.0
