Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:dovecot User: [email protected] Usertags: pu
Dovecot was updated in bookworm to fix several vulnerabilities with DSA 6197. There are two issues with the backported fixes that need to be addressed, but that weren't of a high enough severity to warrant another DSA revision. I'd like to correct these issues in the next bookworm point release. The issues corrected here are: An incomplete backport of the CVE-2026-27855 patch from upstream failed to wrap a call to set_credentials() with the appropriate event delimeters as intended by upstream. This was due to a refactor in the 2.4.x development lifecycle moving this call to another file, and the person performing the backport to 2.3.x didn't account for the refactor. The second issue is a memory leak inadvertently introduced when backporting the fix for CVE-2026-27857. This is the same leak that needs fixing in trixie (#1135871). The solution is to remove the unnecessary reinitialization of a pointer in src/imap-login/imap-login-cmd-id.c. Fixing this also required refreshing subsequent patches for the same vulnerability due to contextual changes. debdiff is attached. noah
diff -Nru dovecot-2.3.19.1+dfsg1/debian/changelog dovecot-2.3.19.1+dfsg1/debian/changelog --- dovecot-2.3.19.1+dfsg1/debian/changelog 2026-04-23 09:40:11.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/changelog 2026-05-06 16:09:12.000000000 -0400 @@ -1,3 +1,10 @@ +dovecot (1:2.3.19.1+dfsg1-2.1+deb12u5) bookworm; urgency=medium + + * [faff670] Correct incomplete backport of CVE-2026-27855 fix + * [0e4447b] Fix memory leak in CVE-2026-27857 fix + + -- Noah Meyerhans <[email protected]> Wed, 06 May 2026 16:09:12 -0400 + dovecot (1:2.3.19.1+dfsg1-2.1+deb12u4) bookworm-security; urgency=medium * [0669596] Add tests for bug 1134464 regression diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch --- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch 2026-04-23 09:40:11.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27855-3.patch 2026-05-05 20:24:18.000000000 -0400 @@ -17,10 +17,10 @@ src/auth/auth-worker-server.c | 2 ++ 2 files changed, 6 insertions(+) -Index: dovecot/src/auth/auth-request.c +Index: 2.3/src/auth/auth-request.c =================================================================== ---- dovecot.orig/src/auth/auth-request.c -+++ dovecot/src/auth/auth-request.c +--- 2.3.orig/src/auth/auth-request.c ++++ 2.3/src/auth/auth-request.c @@ -1341,6 +1341,8 @@ void auth_request_set_credentials(struct struct auth_passdb *passdb = request->passdb; const char *cache_key, *new_credentials; @@ -39,3 +39,18 @@ } static void auth_request_userdb_save_cache(struct auth_request *request, +Index: 2.3/src/auth/auth-worker-client.c +=================================================================== +--- 2.3.orig/src/auth/auth-worker-client.c ++++ 2.3/src/auth/auth-worker-client.c +@@ -490,8 +490,10 @@ auth_worker_handle_setcred(struct auth_w + } + } + ++ auth_request_passdb_event_begin(auth_request); + auth_request->passdb->passdb->iface. + set_credentials(auth_request, creds, set_credentials_callback); ++ auth_request_passdb_event_end(auth_request); + return TRUE; + } + diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch --- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch 2026-04-23 09:40:11.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-2.patch 2026-05-05 20:24:18.000000000 -0400 @@ -20,10 +20,10 @@ src/plugins/virtual/virtual-config.c | 2 +- 13 files changed, 30 insertions(+), 19 deletions(-) -Index: dovecot/src/imap-login/imap-login-client.c +Index: 2.3/src/imap-login/imap-login-client.c =================================================================== ---- dovecot.orig/src/imap-login/imap-login-client.c -+++ dovecot/src/imap-login/imap-login-client.c +--- 2.3.orig/src/imap-login/imap-login-client.c ++++ 2.3/src/imap-login/imap-login-client.c @@ -379,7 +379,7 @@ static void imap_client_create(struct cl imap_client->parser = imap_parser_create(imap_client->common.input, @@ -42,25 +42,24 @@ /* CRLF is lost from buffer when streams are reopened. */ imap_client->skip_line = FALSE; -Index: dovecot/src/imap-login/imap-login-cmd-id.c +Index: 2.3/src/imap-login/imap-login-cmd-id.c =================================================================== ---- dovecot.orig/src/imap-login/imap-login-cmd-id.c -+++ dovecot/src/imap-login/imap-login-cmd-id.c -@@ -237,7 +237,9 @@ int cmd_id(struct imap_client *client) +--- 2.3.orig/src/imap-login/imap-login-cmd-id.c ++++ 2.3/src/imap-login/imap-login-cmd-id.c +@@ -237,7 +237,8 @@ int cmd_id(struct imap_client *client) client->cmd_id = id = i_new(struct imap_client_cmd_id, 1); id->parser = imap_parser_create(client->common.input, client->common.output, - IMAP_LOGIN_MAX_LINE_LENGTH); + IMAP_LOGIN_MAX_LINE_LENGTH, + NULL); -+ id->log_reply = str_new(default_pool, 64); if (client->set->imap_literal_minus) imap_parser_enable_literal_minus(id->parser); parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST; -Index: dovecot/src/imap/cmd-append.c +Index: 2.3/src/imap/cmd-append.c =================================================================== ---- dovecot.orig/src/imap/cmd-append.c -+++ dovecot/src/imap/cmd-append.c +--- 2.3.orig/src/imap/cmd-append.c ++++ 2.3/src/imap/cmd-append.c @@ -947,7 +947,8 @@ bool cmd_append(struct client_command_co o_stream_unset_flush_callback(client->output); @@ -71,10 +70,10 @@ if (client->set->imap_literal_minus) imap_parser_enable_literal_minus(ctx->save_parser); -Index: dovecot/src/imap/cmd-setmetadata.c +Index: 2.3/src/imap/cmd-setmetadata.c =================================================================== ---- dovecot.orig/src/imap/cmd-setmetadata.c -+++ dovecot/src/imap/cmd-setmetadata.c +--- 2.3.orig/src/imap/cmd-setmetadata.c ++++ 2.3/src/imap/cmd-setmetadata.c @@ -289,7 +289,8 @@ cmd_setmetadata_start(struct imap_setmet asynchronously the same way as APPEND does. */ client->input_lock = cmd; @@ -85,10 +84,10 @@ if (client->set->imap_literal_minus) imap_parser_enable_literal_minus(ctx->parser); o_stream_unset_flush_callback(client->output); -Index: dovecot/src/imap/imap-client.c +Index: 2.3/src/imap/imap-client.c =================================================================== ---- dovecot.orig/src/imap/imap-client.c -+++ dovecot/src/imap/imap-client.c +--- 2.3.orig/src/imap/imap-client.c ++++ 2.3/src/imap/imap-client.c @@ -953,7 +953,8 @@ client_command_new(struct client *client } else { cmd->parser = @@ -99,10 +98,10 @@ if (client->set->imap_literal_minus) imap_parser_enable_literal_minus(cmd->parser); } -Index: dovecot/src/lib-imap-client/imapc-connection.c +Index: 2.3/src/lib-imap-client/imapc-connection.c =================================================================== ---- dovecot.orig/src/lib-imap-client/imapc-connection.c -+++ dovecot/src/lib-imap-client/imapc-connection.c +--- 2.3.orig/src/lib-imap-client/imapc-connection.c ++++ 2.3/src/lib-imap-client/imapc-connection.c @@ -1822,7 +1822,8 @@ static void imapc_connection_connect_nex o_stream_set_flush_callback(conn->output, imapc_connection_connected, conn); @@ -113,10 +112,10 @@ conn->to = timeout_add(conn->client->set.connect_timeout_msecs, imapc_connection_timeout, conn); conn->to_output = timeout_add(conn->client->set.max_idle_time*1000, -Index: dovecot/src/lib-imap-storage/imap-msgpart.c +Index: 2.3/src/lib-imap-storage/imap-msgpart.c =================================================================== ---- dovecot.orig/src/lib-imap-storage/imap-msgpart.c -+++ dovecot/src/lib-imap-storage/imap-msgpart.c +--- 2.3.orig/src/lib-imap-storage/imap-msgpart.c ++++ 2.3/src/lib-imap-storage/imap-msgpart.c @@ -148,7 +148,7 @@ imap_msgpart_get_header_fields(pool_t po int result = 0; @@ -126,10 +125,10 @@ if (imap_parser_finish_line(parser, 0, 0, &args) > 0 && imap_arg_get_list_full(args, &hdr_list, &list_count) && -Index: dovecot/src/lib-imap/imap-bodystructure.c +Index: 2.3/src/lib-imap/imap-bodystructure.c =================================================================== ---- dovecot.orig/src/lib-imap/imap-bodystructure.c -+++ dovecot/src/lib-imap/imap-bodystructure.c +--- 2.3.orig/src/lib-imap/imap-bodystructure.c ++++ 2.3/src/lib-imap/imap-bodystructure.c @@ -694,7 +694,7 @@ int imap_bodystructure_parse_full(const input = i_stream_create_from_data(bodystructure, strlen(bodystructure)); (void)i_stream_read(input); @@ -148,10 +147,10 @@ ret = imap_parser_finish_line(parser, 0, IMAP_PARSE_FLAG_NO_UNESCAPE | IMAP_PARSE_FLAG_LITERAL_TYPE, &args); if (ret < 0) { -Index: dovecot/src/lib-imap/imap-envelope.c +Index: 2.3/src/lib-imap/imap-envelope.c =================================================================== ---- dovecot.orig/src/lib-imap/imap-envelope.c -+++ dovecot/src/lib-imap/imap-envelope.c +--- 2.3.orig/src/lib-imap/imap-envelope.c ++++ 2.3/src/lib-imap/imap-envelope.c @@ -222,7 +222,7 @@ bool imap_envelope_parse(const char *env input = i_stream_create_from_data(envelope, strlen(envelope)); (void)i_stream_read(input); @@ -161,10 +160,10 @@ ret = imap_parser_finish_line(parser, 0, IMAP_PARSE_FLAG_LITERAL_TYPE, &args); if (ret < 0) { -Index: dovecot/src/lib-imap/imap-parser.c +Index: 2.3/src/lib-imap/imap-parser.c =================================================================== ---- dovecot.orig/src/lib-imap/imap-parser.c -+++ dovecot/src/lib-imap/imap-parser.c +--- 2.3.orig/src/lib-imap/imap-parser.c ++++ 2.3/src/lib-imap/imap-parser.c @@ -69,7 +69,8 @@ struct imap_parser { struct imap_parser * @@ -175,10 +174,10 @@ { struct imap_parser *parser; -Index: dovecot/src/lib-imap/imap-parser.h +Index: 2.3/src/lib-imap/imap-parser.h =================================================================== ---- dovecot.orig/src/lib-imap/imap-parser.h -+++ dovecot/src/lib-imap/imap-parser.h +--- 2.3.orig/src/lib-imap/imap-parser.h ++++ 2.3/src/lib-imap/imap-parser.h @@ -38,6 +38,9 @@ enum imap_parser_error { IMAP_PARSE_ERROR_LITERAL_TOO_BIG }; @@ -199,10 +198,10 @@ void imap_parser_ref(struct imap_parser *parser); void imap_parser_unref(struct imap_parser **parser); -Index: dovecot/src/lib-imap/test-imap-parser.c +Index: 2.3/src/lib-imap/test-imap-parser.c =================================================================== ---- dovecot.orig/src/lib-imap/test-imap-parser.c -+++ dovecot/src/lib-imap/test-imap-parser.c +--- 2.3.orig/src/lib-imap/test-imap-parser.c ++++ 2.3/src/lib-imap/test-imap-parser.c @@ -16,7 +16,7 @@ static void test_imap_parser_crlf(void) test_begin("imap parser crlf handling"); @@ -239,10 +238,10 @@ ret = imap_parser_read_command_name(parser, &atom); test_assert_idx(ret == tests[i].ret, i); test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i); -Index: dovecot/src/plugins/virtual/virtual-config.c +Index: 2.3/src/plugins/virtual/virtual-config.c =================================================================== ---- dovecot.orig/src/plugins/virtual/virtual-config.c -+++ dovecot/src/plugins/virtual/virtual-config.c +--- 2.3.orig/src/plugins/virtual/virtual-config.c ++++ 2.3/src/plugins/virtual/virtual-config.c @@ -54,7 +54,7 @@ virtual_search_args_parse(const string_t input = i_stream_create_from_data(str_data(rule), str_len(rule)); (void)i_stream_read(input); @@ -252,10 +251,10 @@ ret = imap_parser_finish_line(imap_parser, 0, 0, &args); if (ret < 0) { sargs = NULL; -Index: dovecot/src/lib-imap/imap-id.c +Index: 2.3/src/lib-imap/imap-id.c =================================================================== ---- dovecot.orig/src/lib-imap/imap-id.c -+++ dovecot/src/lib-imap/imap-id.c +--- 2.3.orig/src/lib-imap/imap-id.c ++++ 2.3/src/lib-imap/imap-id.c @@ -111,7 +111,7 @@ const char *imap_id_reply_generate(const input = i_stream_create_from_data(settings, strlen(settings)); (void)i_stream_read(input); @@ -265,10 +264,10 @@ if (imap_parser_finish_line(parser, 0, 0, &args) <= 0) ret = "NIL"; else -Index: dovecot/src/director/director-test.c +Index: 2.3/src/director/director-test.c =================================================================== ---- dovecot.orig/src/director/director-test.c -+++ dovecot/src/director/director-test.c +--- 2.3.orig/src/director/director-test.c ++++ 2.3/src/director/director-test.c @@ -250,7 +250,7 @@ static void imap_client_create(int fd) o_stream_set_no_error_handling(client->output, TRUE); client->io = io_add(fd, IO_READ, imap_client_input, client); diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch --- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch 2026-04-23 09:40:11.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-4.patch 2026-05-06 07:50:20.000000000 -0400 @@ -11,10 +11,10 @@ src/imap-login/imap-login-cmd-id.c | 6 +++++- 3 files changed, 17 insertions(+), 3 deletions(-) -Index: dovecot/src/imap-login/imap-login-client.c +Index: 2.3/src/imap-login/imap-login-client.c =================================================================== ---- dovecot.orig/src/imap-login/imap-login-client.c -+++ dovecot/src/imap-login/imap-login-client.c +--- 2.3.orig/src/imap-login/imap-login-client.c ++++ 2.3/src/imap-login/imap-login-client.c @@ -375,11 +375,14 @@ static void imap_client_create(struct cl { struct imap_client *imap_client = (struct imap_client *)client; @@ -47,10 +47,10 @@ /* CRLF is lost from buffer when streams are reopened. */ imap_client->skip_line = FALSE; -Index: dovecot/src/imap-login/imap-login-client.h +Index: 2.3/src/imap-login/imap-login-client.h =================================================================== ---- dovecot.orig/src/imap-login/imap-login-client.h -+++ dovecot/src/imap-login/imap-login-client.h +--- 2.3.orig/src/imap-login/imap-login-client.h ++++ 2.3/src/imap-login/imap-login-client.h @@ -11,6 +11,10 @@ /* maximum length for IMAP command line. */ #define IMAP_LOGIN_MAX_LINE_LENGTH 8192 @@ -62,10 +62,10 @@ enum imap_client_id_state { IMAP_CLIENT_ID_STATE_LIST = 0, IMAP_CLIENT_ID_STATE_KEY, -Index: dovecot/src/imap-login/imap-login-cmd-id.c +Index: 2.3/src/imap-login/imap-login-cmd-id.c =================================================================== ---- dovecot.orig/src/imap-login/imap-login-cmd-id.c -+++ dovecot/src/imap-login/imap-login-cmd-id.c +--- 2.3.orig/src/imap-login/imap-login-cmd-id.c ++++ 2.3/src/imap-login/imap-login-cmd-id.c @@ -235,10 +235,14 @@ int cmd_id(struct imap_client *client) if (client->cmd_id == NULL) { @@ -79,6 +79,6 @@ IMAP_LOGIN_MAX_LINE_LENGTH, - NULL); + ¶ms); - id->log_reply = str_new(default_pool, 64); if (client->set->imap_literal_minus) imap_parser_enable_literal_minus(id->parser); + parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST; diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch --- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch 2026-04-23 09:40:11.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-27857-5.patch 2026-05-06 08:02:06.000000000 -0400 @@ -9,10 +9,10 @@ src/lib-imap/test-imap-parser.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) -Index: dovecot/src/imap-login/imap-login-client.c +Index: 2.3/src/imap-login/imap-login-client.c =================================================================== ---- dovecot.orig/src/imap-login/imap-login-client.c -+++ dovecot/src/imap-login/imap-login-client.c +--- 2.3.orig/src/imap-login/imap-login-client.c ++++ 2.3/src/imap-login/imap-login-client.c @@ -375,7 +375,7 @@ static void imap_client_create(struct cl { struct imap_client *imap_client = (struct imap_client *)client; @@ -31,10 +31,10 @@ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, }; imap_parser_unref(&imap_client->parser); -Index: dovecot/src/imap-login/imap-login-cmd-id.c +Index: 2.3/src/imap-login/imap-login-cmd-id.c =================================================================== ---- dovecot.orig/src/imap-login/imap-login-cmd-id.c -+++ dovecot/src/imap-login/imap-login-cmd-id.c +--- 2.3.orig/src/imap-login/imap-login-cmd-id.c ++++ 2.3/src/imap-login/imap-login-cmd-id.c @@ -236,7 +236,7 @@ int cmd_id(struct imap_client *client) if (client->cmd_id == NULL) { client->cmd_id = id = i_new(struct imap_client_cmd_id, 1); @@ -44,10 +44,10 @@ .list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT, }; id->parser = imap_parser_create(client->common.input, -Index: dovecot/src/lib-imap/test-imap-parser.c +Index: 2.3/src/lib-imap/test-imap-parser.c =================================================================== ---- dovecot.orig/src/lib-imap/test-imap-parser.c -+++ dovecot/src/lib-imap/test-imap-parser.c +--- 2.3.orig/src/lib-imap/test-imap-parser.c ++++ 2.3/src/lib-imap/test-imap-parser.c @@ -95,7 +95,7 @@ static void test_imap_parser_list_limit( const struct imap_arg *args;
