Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package dovecot
2.3.4.1-2 (already in unstable) fixes a double-free crash in the MySQL
driver, used primarily by dovecot's auth subsystem (see #918339). The
fix has been cherry-picked from upstream.
The only other change is bumping Standards-Version, which is trivial.
Full source debdiff attached.
Thanks,
Apollon
unblock dovecot/2.3.4.1-2
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog 2019-02-05 16:19:12.000000000 +0200
+++ dovecot-2.3.4.1/debian/changelog 2019-03-14 11:02:39.000000000 +0200
@@ -1,3 +1,16 @@
+dovecot (1:2.3.4.1-2) unstable; urgency=medium
+
+ [ Laurent Bigonville ]
+ * [ac99918] Fix double-free crash in mysql driver
+ Fix double closing of the connection in the mysql driver, this should
+ fix the crash in the dovecot auth process, taken from upstream.
+ (Closes: #918339)
+
+ [ Apollon Oikonomopoulos ]
+ * [8a30446] Bump Standards-Version to 4.3.0; no changes needed
+
+ -- Apollon Oikonomopoulos <apoi...@debian.org> Thu, 14 Mar 2019 11:02:39
+0200
+
dovecot (1:2.3.4.1-1) unstable; urgency=high
* [bebf0b4] New upstream version 2.3.4.1
diff -Nru dovecot-2.3.4.1/debian/control dovecot-2.3.4.1/debian/control
--- dovecot-2.3.4.1/debian/control 2019-02-05 16:19:12.000000000 +0200
+++ dovecot-2.3.4.1/debian/control 2019-03-14 11:02:39.000000000 +0200
@@ -32,7 +32,7 @@
lsb-release,
pkg-config,
zlib1g-dev
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
Homepage: http://dovecot.org/
Vcs-Git: https://salsa.debian.org/debian/dovecot.git
Vcs-Browser: https://salsa.debian.org/debian/dovecot
diff -Nru dovecot-2.3.4.1/debian/patches/avoid-double-closing-mysql.patch
dovecot-2.3.4.1/debian/patches/avoid-double-closing-mysql.patch
--- dovecot-2.3.4.1/debian/patches/avoid-double-closing-mysql.patch
1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.3.4.1/debian/patches/avoid-double-closing-mysql.patch
2019-03-14 11:02:39.000000000 +0200
@@ -0,0 +1,39 @@
+From 3c5101ffdd2a8115e03ed7180d53578765dea4c9 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tu...@dovecot.fi>
+Date: Tue, 4 Dec 2018 14:40:04 +0200
+Subject: [PATCH] driver-mysql: Avoid double-closing MySQL connection
+
+Fixes double-free
+---
+ src/lib-sql/driver-mysql.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib-sql/driver-mysql.c b/src/lib-sql/driver-mysql.c
+index c87e825e4..5dd1c3124 100644
+--- a/src/lib-sql/driver-mysql.c
++++ b/src/lib-sql/driver-mysql.c
+@@ -173,7 +173,9 @@ static int driver_mysql_connect(struct sql_db *_db)
+ static void driver_mysql_disconnect(struct sql_db *_db)
+ {
+ struct mysql_db *db = (struct mysql_db *)_db;
+- mysql_close(db->mysql);
++ if (db->mysql != NULL)
++ mysql_close(db->mysql);
++ db->mysql = NULL;
+ }
+
+ static int driver_mysql_parse_connect_string(struct mysql_db *db,
+@@ -311,7 +313,9 @@ static void driver_mysql_deinit_v(struct sql_db *_db)
+ _db->no_reconnect = TRUE;
+ sql_db_set_state(&db->api, SQL_DB_STATE_DISCONNECTED);
+
+- mysql_close(db->mysql);
++ if (db->mysql != NULL)
++ mysql_close(db->mysql);
++ db->mysql = NULL;
+
+ sql_connection_log_finished(_db);
+ event_unref(&_db->event);
+--
+2.20.1
+
diff -Nru dovecot-2.3.4.1/debian/patches/series
dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series 2019-02-05 16:19:12.000000000
+0200
+++ dovecot-2.3.4.1/debian/patches/series 2019-03-14 11:02:39.000000000
+0200
@@ -8,4 +8,5 @@
dovecot_name.patch
ssl-dh-params-location.patch
lib-master-test-event-stats-Use-PRIu64-format.patch
+avoid-double-closing-mysql.patch
debian-changes
