On Thu, Mar 05, 2026 at 06:23:58PM -0500, Noah Meyerhans wrote:
> I'd like to fix two crashes in dovecot components in trixie. Both of these
> have impacted Debian users.
Actually, there are now three crashes to fix in trixie. Another bug was
opened yesterday, which is already fixed in sid/forky. I've prepared a
backport of the fix. Please see the new debdiff, attached.
The changelog entry is now:
dovecot (1:2.4.1+dfsg1-6+deb13u3) trixie; urgency=medium
* [1186296] import upstream fix for possible crash in ldap userdb
(Closes: #1121000)
* [14c13a5] backport upstream fix for crash in trash plugin (Closes: #1127029)
* [95bf3b3] Backport fix for segfault when group ACLs are present but the
user has no groups (Closes: #1129952)
-- Noah Meyerhans <[email protected]> Fri, 06 Mar 2026 09:36:28 -0500
Thanks
noah
diff -Nru dovecot-2.4.1+dfsg1/debian/changelog
dovecot-2.4.1+dfsg1/debian/changelog
--- dovecot-2.4.1+dfsg1/debian/changelog 2025-10-23 10:01:33.000000000
-0400
+++ dovecot-2.4.1+dfsg1/debian/changelog 2026-03-06 09:36:28.000000000
-0500
@@ -1,3 +1,13 @@
+dovecot (1:2.4.1+dfsg1-6+deb13u3) trixie; urgency=medium
+
+ * [1186296] import upstream fix for possible crash in ldap userdb
+ (Closes: #1121000)
+ * [14c13a5] backport upstream fix for crash in trash plugin (Closes:
#1127029)
+ * [95bf3b3] Backport fix for segfault when group ACLs are present but the
+ user has no groups (Closes: #1129952)
+
+ -- Noah Meyerhans <[email protected]> Fri, 06 Mar 2026 09:36:28 -0500
+
dovecot (1:2.4.1+dfsg1-6+deb13u2) trixie; urgency=medium
* [6ac2883] Clean up a few typos in default/example config (Closes: #1112667)
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
---
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
2026-03-06 09:36:28.000000000 -0500
@@ -0,0 +1,63 @@
+From 06af53902479572fc96f04b4372fdabb9d01996b Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <[email protected]>
+Date: Fri, 9 Jan 2026 13:31:42 +0200
+Subject: [PATCH] trash: Use mailbox event in trash_try_mailbox() for settings
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127029
+
+---
+ src/plugins/trash/trash-plugin.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/plugins/trash/trash-plugin.c
b/src/plugins/trash/trash-plugin.c
+index 827ba91ec5..7865de2ef6 100644
+--- a/src/plugins/trash/trash-plugin.c
++++ b/src/plugins/trash/trash-plugin.c
+@@ -570,14 +570,13 @@ static int trash_mailbox_priority_cmp(const struct
trash_mailbox *t1,
+ return strcmp(t1->name, t2->name);
+ }
+
+-static int trash_try_mailbox(struct mail_namespace *ns, const char *box_name,
++static int trash_try_mailbox(struct mail_namespace *ns, struct event
*mbox_event,
+ const char **error_r)
+ {
+ struct trash_user *tuser = TRASH_USER_CONTEXT_REQUIRE(ns->user);
+ const struct trash_settings *trash_set;
+- if (settings_try_get_filter(ns->list->event, "mailbox", box_name,
+- &trash_setting_parser_info, 0,
+- &trash_set, error_r) < 0)
++ if (settings_get(mbox_event, &trash_setting_parser_info, 0,
++ &trash_set, error_r) < 0)
+ return -1;
+ unsigned int trash_priority = trash_set->trash_priority;
+ settings_free(trash_set);
+@@ -586,9 +585,8 @@ static int trash_try_mailbox(struct mail_namespace *ns,
const char *box_name,
+ return 0;
+
+ const struct mailbox_settings *box_set;
+- if (settings_try_get_filter(ns->list->event, "mailbox", box_name,
+- &mailbox_setting_parser_info, 0,
+- &box_set, error_r) < 0)
++ if (settings_get(mbox_event, &mailbox_setting_parser_info, 0,
++ &box_set, error_r) < 0)
+ return -1;
+
+ const char *vname =
+@@ -618,10 +616,14 @@ static int trash_find_mailboxes(struct mail_user *user)
+ continue;
+
+ array_foreach_elem(&ns->set->mailboxes, box_name) {
+- if (trash_try_mailbox(ns, box_name, &error) < 0) {
++ struct event *mbox_event =
++
mail_storage_mailbox_create_event(ns->list->event, ns->list, box_name);
++ if (trash_try_mailbox(ns, mbox_event, &error) < 0) {
+ user->error = p_strdup(user->pool, error);
++ event_unref(&mbox_event);
+ return -1;
+ }
++ event_unref(&mbox_event);
+ }
+ }
+
+--
+2.47.3
+
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch
dovecot-2.4.1+dfsg1/debian/patches/acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch
---
dovecot-2.4.1+dfsg1/debian/patches/acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch
2026-03-06 09:36:28.000000000 -0500
@@ -0,0 +1,28 @@
+From 003bf9a6959714e0f696f0015c8c712e89962b9b Mon Sep 17 00:00:00 2001
+From: Marco Bettini <[email protected]>
+Date: Thu, 28 Aug 2025 15:09:56 +0000
+Subject: [PATCH] acl: Fix crash when group ACLs are used, but user's
+ acl_groups is empty
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129952
+
+---
+ src/plugins/acl/acl-backend.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/acl/acl-backend.c b/src/plugins/acl/acl-backend.c
+index 2ad901cd96..cc08d702dd 100644
+--- a/src/plugins/acl/acl-backend.c
++++ b/src/plugins/acl/acl-backend.c
+@@ -155,7 +155,8 @@ bool acl_backend_user_name_equals(struct acl_backend
*backend,
+ bool acl_backend_user_is_in_group(struct acl_backend *backend,
+ const char *group_name)
+ {
+- return array_bsearch(&backend->set->acl_groups, group_name,
++ return array_not_empty(&backend->set->acl_groups) &&
++ array_bsearch(&backend->set->acl_groups, group_name,
+ search_strcmp) != NULL;
+ }
+
+--
+2.47.3
+
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
---
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
2026-03-04 20:13:48.000000000 -0500
@@ -0,0 +1,28 @@
+From 576a2f52bff4c13971d9e6d1172857a4f18ddd14 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <[email protected]>
+Date: Thu, 6 Nov 2025 14:52:37 +0200
+Subject: [PATCH] auth: ldap - Fix crash if users are iterated, but
+ userdb_ldap_iterate_fields is not set
+Bug-Debian: https://bugs.debian.org/1121000
+---
+ src/auth/userdb-ldap.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/auth/userdb-ldap.c b/src/auth/userdb-ldap.c
+index 7d6d2bc38a..7aad2db74f 100644
+--- a/src/auth/userdb-ldap.c
++++ b/src/auth/userdb-ldap.c
+@@ -201,8 +201,11 @@ static void userdb_ldap_iterate_callback(struct
ldap_connection *conn,
+ &set, &error) < 0) {
+ e_error(event, "%s", error);
+ ctx->ctx.failed = TRUE;
+- }
+- else {
++ } else if (!array_is_created(&set->iterate_fields)) {
++ e_error(event, "iterate: No userdb_ldap_iterate_fields
specified");
++ ctx->ctx.failed = TRUE;
++ settings_free(set);
++ } else {
+ unsigned int count;
+ const char *const *items = array_get(&set->iterate_fields,
&count);
+ for (unsigned int ndx = 0; ndx < count - 1;) {
diff -Nru dovecot-2.4.1+dfsg1/debian/patches/series
dovecot-2.4.1+dfsg1/debian/patches/series
--- dovecot-2.4.1+dfsg1/debian/patches/series 2025-10-23 10:01:33.000000000
-0400
+++ dovecot-2.4.1+dfsg1/debian/patches/series 2026-03-06 09:36:12.000000000
-0500
@@ -29,3 +29,6 @@
auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch
auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
+bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
+0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
+acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch
