summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2025-10-05 13:55:59 +0200
committerGyorgy Sarvari <skandigraun@gmail.com>2025-10-12 13:08:38 +0200
commitbf9fc50ccc870f8caaa87c166535a2922175dd0d (patch)
treeeb82a28314dc9c1e8647b648afc3771a31c309a4 /meta-networking
parent91a9a3d61f4ea3f0be960b069f84ef3462696379 (diff)
downloadmeta-openembedded-bf9fc50ccc870f8caaa87c166535a2922175dd0d.tar.gz
dovecot: patch CVE-2021-33515
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33515 Backport the relevant patch. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-lib-smtp-smtp-server-connection-Fix-STARTTLS-command.patch76
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb1
2 files changed, 77 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-smtp-smtp-server-connection-Fix-STARTTLS-command.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-smtp-smtp-server-connection-Fix-STARTTLS-command.patch
new file mode 100644
index 0000000000..3c2835c706
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-smtp-smtp-server-connection-Fix-STARTTLS-command.patch
@@ -0,0 +1,76 @@
1From 29a76d549b1d5eaa8a98831ee2968b36791e7806 Mon Sep 17 00:00:00 2001
2From: Stephan Bosch <stephan.bosch@open-xchange.com>
3Date: Sat, 22 May 2021 00:16:38 +0200
4Subject: [PATCH] lib-smtp: smtp-server-connection - Fix STARTTLS command
5 injection vulnerability.
6
7The input handler kept reading more commands even though the input was locked by
8the STARTTLS command, thereby causing it to read the command pipelined beyond
9STARTTLS. This causes a STARTTLS command injection vulerability.
10
11CVE: CVE-2021-33515
12
13Upstream-Status: Backport [https://github.com/dovecot/core/commit/321c339756f9b2b98fb7326359d1333adebb5295]
14
15Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
16---
17 src/lib-smtp/smtp-server-cmd-starttls.c | 14 ++++++++++++++
18 src/lib-smtp/smtp-server-connection.c | 6 +++++-
19 2 files changed, 19 insertions(+), 1 deletion(-)
20
21diff --git a/src/lib-smtp/smtp-server-cmd-starttls.c b/src/lib-smtp/smtp-server-cmd-starttls.c
22index ed1687e..de53b39 100644
23--- a/src/lib-smtp/smtp-server-cmd-starttls.c
24+++ b/src/lib-smtp/smtp-server-cmd-starttls.c
25@@ -37,6 +37,13 @@ static int cmd_starttls_start(struct smtp_server_connection *conn)
26 return -1;
27 }
28
29+ /* The command queue must be empty at this point. If anything were to be
30+ queued somehow, this connection is vulnerable to STARTTLS command
31+ insertion.
32+ */
33+ i_assert(conn->command_queue_count == 0 &&
34+ conn->command_queue_head == NULL);
35+
36 /* RFC 3207, Section 4.2:
37
38 Upon completion of the TLS handshake, the SMTP protocol is reset to
39@@ -107,6 +114,13 @@ cmd_starttls_next(struct smtp_server_cmd_ctx *cmd, void *context ATTR_UNUSED)
40 const struct smtp_server_callbacks *callbacks = conn->callbacks;
41 int ret;
42
43+ /* The command queue can only contain the STARTTLS command at this
44+ point. If anything beyond the STARTTLS were queued somehow, this
45+ connection is vulnerable to STARTTLS command insertion.
46+ */
47+ i_assert(conn->command_queue_count == 1 &&
48+ conn->command_queue_tail == command);
49+
50 smtp_server_connection_set_state(conn, SMTP_SERVER_STATE_STARTTLS,
51 NULL);
52
53diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
54index e4e9ee7..3d34378 100644
55--- a/src/lib-smtp/smtp-server-connection.c
56+++ b/src/lib-smtp/smtp-server-connection.c
57@@ -440,7 +440,7 @@ smtp_server_connection_handle_input(struct smtp_server_connection *conn)
58
59 /* Parse commands */
60 ret = 1;
61- while (!conn->closing && ret != 0) {
62+ while (!conn->closing && !conn->input_locked && ret != 0) {
63 while ((ret = smtp_command_parse_next(
64 conn->smtp_parser, &cmd_name, &cmd_params,
65 &error_code, &error)) > 0) {
66@@ -464,6 +464,10 @@ smtp_server_connection_handle_input(struct smtp_server_connection *conn)
67
68 if (conn->disconnected)
69 return;
70+ /* Last command locked the input; stop trying to read
71+ more. */
72+ if (conn->input_locked)
73+ break;
74 /* Client indicated it will close after this command;
75 stop trying to read more. */
76 if (conn->closing)
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb b/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
index 4c55c0e081..b9473d0345 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://dovecot.org/releases/2.3/dovecot-${PV}.tar.gz \
12 file://0001-not-check-pandoc.patch \ 12 file://0001-not-check-pandoc.patch \
13 file://0001-m4-Check-for-libunwind-instead-of-libunwind-generic.patch \ 13 file://0001-m4-Check-for-libunwind-instead-of-libunwind-generic.patch \
14 file://0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch \ 14 file://0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch \
15 file://0001-lib-smtp-smtp-server-connection-Fix-STARTTLS-command.patch \
15 " 16 "
16 17
17SRC_URI[md5sum] = "2f03532cec3280ae45a101a7a55ccef5" 18SRC_URI[md5sum] = "2f03532cec3280ae45a101a7a55ccef5"