Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:dovecot
User: [email protected]
Usertags: pu
[ Reason ]
I'd like to fix two crashes in dovecot components in trixie. Both of these
have impacted Debian users.
[ Impact ]
Behavior that's expected to work instead results in a crash. Practically
speaking, this means certain valid configurations of dovecot are unusable
and admins will need to disable some functionality.
[ Tests ]
Both fixes are backported from upstream's git repository and have been
tested manually and deployed in various (non Debian) production
environments.
[ Risks ]
As the fixes are backports from upstream, I consider them to be well
understood and of minimal risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
dovecot (1:2.4.1+dfsg1-6+deb13u3) trixie; urgency=medium
* [1186296] import upstream fix for possible crash in ldap userdb
(Closes: #1121000)
* [14c13a5] backport upstream fix for crash in trash plugin (Closes: #1127029)
-- Noah Meyerhans <[email protected]> Wed, 04 Mar 2026 20:32:42 -0500
dovecot (1:2.4.1+dfsg1-6+deb13u2) trixie; urgency=medium
diff -Nru dovecot-2.4.1+dfsg1/debian/changelog
dovecot-2.4.1+dfsg1/debian/changelog
--- dovecot-2.4.1+dfsg1/debian/changelog 2025-10-23 10:01:33.000000000
-0400
+++ dovecot-2.4.1+dfsg1/debian/changelog 2026-03-04 20:32:42.000000000
-0500
@@ -1,3 +1,11 @@
+dovecot (1:2.4.1+dfsg1-6+deb13u3) trixie; urgency=medium
+
+ * [1186296] import upstream fix for possible crash in ldap userdb
+ (Closes: #1121000)
+ * [14c13a5] backport upstream fix for crash in trash plugin (Closes:
#1127029)
+
+ -- Noah Meyerhans <[email protected]> Wed, 04 Mar 2026 20:32:42 -0500
+
dovecot (1:2.4.1+dfsg1-6+deb13u2) trixie; urgency=medium
* [6ac2883] Clean up a few typos in default/example config (Closes: #1112667)
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
---
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
2026-03-04 20:21:12.000000000 -0500
@@ -0,0 +1,62 @@
+From 06af53902479572fc96f04b4372fdabb9d01996b Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <[email protected]>
+Date: Fri, 9 Jan 2026 13:31:42 +0200
+Subject: [PATCH] trash: Use mailbox event in trash_try_mailbox() for settings
+
+---
+ src/plugins/trash/trash-plugin.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/plugins/trash/trash-plugin.c
b/src/plugins/trash/trash-plugin.c
+index 827ba91ec5..7865de2ef6 100644
+--- a/src/plugins/trash/trash-plugin.c
++++ b/src/plugins/trash/trash-plugin.c
+@@ -570,14 +570,13 @@ static int trash_mailbox_priority_cmp(const struct
trash_mailbox *t1,
+ return strcmp(t1->name, t2->name);
+ }
+
+-static int trash_try_mailbox(struct mail_namespace *ns, const char *box_name,
++static int trash_try_mailbox(struct mail_namespace *ns, struct event
*mbox_event,
+ const char **error_r)
+ {
+ struct trash_user *tuser = TRASH_USER_CONTEXT_REQUIRE(ns->user);
+ const struct trash_settings *trash_set;
+- if (settings_try_get_filter(ns->list->event, "mailbox", box_name,
+- &trash_setting_parser_info, 0,
+- &trash_set, error_r) < 0)
++ if (settings_get(mbox_event, &trash_setting_parser_info, 0,
++ &trash_set, error_r) < 0)
+ return -1;
+ unsigned int trash_priority = trash_set->trash_priority;
+ settings_free(trash_set);
+@@ -586,9 +585,8 @@ static int trash_try_mailbox(struct mail_namespace *ns,
const char *box_name,
+ return 0;
+
+ const struct mailbox_settings *box_set;
+- if (settings_try_get_filter(ns->list->event, "mailbox", box_name,
+- &mailbox_setting_parser_info, 0,
+- &box_set, error_r) < 0)
++ if (settings_get(mbox_event, &mailbox_setting_parser_info, 0,
++ &box_set, error_r) < 0)
+ return -1;
+
+ const char *vname =
+@@ -618,10 +616,14 @@ static int trash_find_mailboxes(struct mail_user *user)
+ continue;
+
+ array_foreach_elem(&ns->set->mailboxes, box_name) {
+- if (trash_try_mailbox(ns, box_name, &error) < 0) {
++ struct event *mbox_event =
++
mail_storage_mailbox_create_event(ns->list->event, ns->list, box_name);
++ if (trash_try_mailbox(ns, mbox_event, &error) < 0) {
+ user->error = p_strdup(user->pool, error);
++ event_unref(&mbox_event);
+ return -1;
+ }
++ event_unref(&mbox_event);
+ }
+ }
+
+--
+2.47.3
+
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
---
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
2026-03-04 20:13:48.000000000 -0500
@@ -0,0 +1,28 @@
+From 576a2f52bff4c13971d9e6d1172857a4f18ddd14 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <[email protected]>
+Date: Thu, 6 Nov 2025 14:52:37 +0200
+Subject: [PATCH] auth: ldap - Fix crash if users are iterated, but
+ userdb_ldap_iterate_fields is not set
+Bug-Debian: https://bugs.debian.org/1121000
+---
+ src/auth/userdb-ldap.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/auth/userdb-ldap.c b/src/auth/userdb-ldap.c
+index 7d6d2bc38a..7aad2db74f 100644
+--- a/src/auth/userdb-ldap.c
++++ b/src/auth/userdb-ldap.c
+@@ -201,8 +201,11 @@ static void userdb_ldap_iterate_callback(struct
ldap_connection *conn,
+ &set, &error) < 0) {
+ e_error(event, "%s", error);
+ ctx->ctx.failed = TRUE;
+- }
+- else {
++ } else if (!array_is_created(&set->iterate_fields)) {
++ e_error(event, "iterate: No userdb_ldap_iterate_fields
specified");
++ ctx->ctx.failed = TRUE;
++ settings_free(set);
++ } else {
+ unsigned int count;
+ const char *const *items = array_get(&set->iterate_fields,
&count);
+ for (unsigned int ndx = 0; ndx < count - 1;) {
diff -Nru dovecot-2.4.1+dfsg1/debian/patches/series
dovecot-2.4.1+dfsg1/debian/patches/series
--- dovecot-2.4.1+dfsg1/debian/patches/series 2025-10-23 10:01:33.000000000
-0400
+++ dovecot-2.4.1+dfsg1/debian/patches/series 2026-03-04 20:21:24.000000000
-0500
@@ -29,3 +29,5 @@
auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch
auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
+bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
+0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
