Package: dovecot-mysql
Version: 1:2.3.4-2
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
while running dovecot with the mysql auth package, I frequently get auth
segfaults in the kernel log such as:
[51013.656961] auth[17706]: segfault at 60 ip 00007f003b360a7b sp
00007ffe800d7f30 error 4 in libmariadb.so.3[7f003b354000+26000]
[51013.658978] Code: 85 ff 0f 84 27 01 00 00 55 48 89 e5 41 54 53 48 8b 87 f0
04 00 00 48 89 fb 48 85 c0 74 2d 4c 8b 20 4d 85 e4 74 25 49 8b 04 24 <48> 8b 40
60 48 85 c0 74 02 ff d0 4c 89 e7 e8 92 3c ff ff 48 8b 83
I attached gdb to the auth process, but I was unable to get debug symbols for
libmariadbclient.so.18. Anyway, I get these stacktraces for the crash - which
seems to be a crash on disconnect / mysql_close().
#1 0x00007f59d8d08535 in __GI_abort () at abort.c:79
#2 0x00007f59d8d5f718 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f59d8e6a29a "%s\n")
at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007f59d8d65e3a in malloc_printerr (str=str@entry=0x7f59d8e6bf60
"free(): double free detected in tcache 2") at malloc.c:5382
#4 0x00007f59d8d6791d in _int_free (av=0x7f59d8ea1c40 <main_arena>,
p=0x564222bd44e0, have_lock=<optimized out>) at malloc.c:4193
#5 0x00007f59d8c1ea8e in mysql_close () from
target:/usr/lib/x86_64-linux-gnu/libmariadbclient.so.18
#6 0x00007f59d91801fe in ?? () from
target:/usr/lib/dovecot/modules/auth/libdriver_mysql.so
#7 0x0000564220be2a14 in ?? ()
#8 0x0000564220bd88f1 in db_sql_unref ()
#9 0x0000564220bcd92e in passdb_deinit ()
#10 0x0000564220bb7099 in auths_deinit ()
#11 0x0000564220bb5e0c in main ()
I would expect not to have such crashes during the operation of the auth module.
My sql auth configuration is as follows:
driver = mysql
connect = host=127.0.0.1 dbname=maildb user=mail password=<removed>
default_pass_scheme = CRYPT
password_query = SELECT email AS user, newcrypt AS password FROM passwd WHERE
email = '%u'
iterate_query = SELECT email AS user FROM passwd
The table schema for the passwd table is:
DESCRIBE passwd
email char(128) NO PRI
newcrypt char(128) NO
name char(128) NO
uid int(10) unsigned NO 8
gid int(10) unsigned NO 8
home char(255) NO
maildir char(255) NO
quota char(255) NO
-- Package-specific info:
dovecot configuration
---------------------
# 2.3.4 (0ecbaf23d): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-1-amd64 x86_64 Debian buster/sid ext4
# Hostname: mail.drwebdesign.de
protocol lmtp {
mail_plugins = fts fts_solr sieve
}
protocol imap {
mail_max_userip_connections = 100
}
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to
en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dovecot-mysql depends on:
ii dovecot-core 1:2.3.4-2
ii libc6 2.28-3
ii libmariadbclient18 [libmariadbclient18] 1:10.3.11-3
ii zlib1g 1:1.2.11.dfsg-1
dovecot-mysql recommends no packages.
dovecot-mysql suggests no packages.
Versions of packages dovecot-mysql is related to:
ii dovecot-core [dovecot-common] 1:2.3.4-2
ii dovecot-dev 1:2.3.4-2
ii dovecot-gssapi 1:2.3.4-2
ii dovecot-imapd 1:2.3.4-2
ii dovecot-ldap 1:2.3.4-2
ii dovecot-lmtpd 1:2.3.4-2
pn dovecot-managesieved <none>
ii dovecot-mysql 1:2.3.4-2
ii dovecot-pgsql 1:2.3.4-2
pn dovecot-pop3d <none>
ii dovecot-sieve 1:2.3.4-2
ii dovecot-sqlite 1:2.3.4-2
-- no debconf information
