On 13:22 Sun 04 Mar , debbug.dovecot.imap.zlib.nospam....@sub.noloop.net wrote: > I was also hit hard by this bug after a recent upgrade from debian 8.x to > debian 9.x. > > Dovecot spams the following lines multiple times per second and my .gz > compressed mbox archives do not appear to work properly over imap: > > Mar 3 18:37:28 hostname dovecot: imap(username): Panic: file istream-zlib.c: > line 416 (i_stream_zlib_seek): assertion failed: (ret == -1) > Mar 3 18:37:28 hostname dovecot: imap(username): Fatal: master: > service(imap): child 2768 killed with signal 6 (core dumps disabled) > > It would appear that Dovecot 2.2.33 contains a likely fix, based on > https://www.dovecot.org/doc/NEWS > "mbox, zlib: Fix assert-crash when accessing compressed mbox"
Good catch, this appears to be the following commit: https://github.com/dovecot/core/commit/c27f060a08d3bbf89fadd58baf61f5ba97a47e3a > > Stretch only contains 2.2.27, but there is a 2.2.33.2-1~bpo9+1 in > stretch-backports. It looks like the stretch-backports package was last > uploaded on 15 Nov 2017, so it probably does not contain the security fixes > included in DSA-4130-1 which was published on 02 Mar 2018. No, it doesn't. I have a backport of 2.2.34 ready to upload, once 2.2.34 hits testing, which should be tomorrow morning. > Is there a chance that the "mbox,zlib" fix from 2.2.33 could be included in a > later Debian 9.x point release? I'm not keen on running a backports package > that does not appear to get timely security updates. Yes, I could include this in a stable update. Would you be willing to test the proposed update? Regards, Apollon
