Accepting request 586348 from server:mail

Security update

OBS-URL: https://build.opensuse.org/request/show/586348
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dovecot23?expand=0&rev=4

23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch

@@ -0,0 +1,28 @@
+From 23da0fa1b30cc11bcc1d467674a0950c527e9ff1 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@dovecot.fi>
+Date: Sat, 6 Jan 2018 21:22:11 +0200
+Subject: [PATCH] ostream-zlib: Ignore missing finish if parent stream is
+ ignoring errors
+
+This fixes panic with imap_zlib plugin when client enables the IMAP COMPRESS
+extension and disconnects:
+
+Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion failed: (zstream->ostream.finished || zstream->ostream.ostream.stream_errno != 0)
+---
+ src/lib-compression/ostream-zlib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib-compression/ostream-zlib.c b/src/lib-compression/ostream-zlib.c
+index 848ecb7b89..e0b9a91416 100644
+--- a/src/lib-compression/ostream-zlib.c
++++ b/src/lib-compression/ostream-zlib.c
+@@ -33,7 +33,8 @@ static void o_stream_zlib_close(struct iostream_private *stream,
+ 	struct zlib_ostream *zstream = (struct zlib_ostream *)stream;
+ 
+ 	i_assert(zstream->ostream.finished ||
+-		 zstream->ostream.ostream.stream_errno != 0);
++		 zstream->ostream.ostream.stream_errno != 0 ||
++		 zstream->ostream.error_handling_disabled);
+ 	(void)deflateEnd(&zstream->zs);
+ 	if (close_parent)
+ 		o_stream_close(zstream->ostream.parent);

dovecot23.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Mar 13 10:40:48 UTC 2018 - dimstar@opensuse.org
+
+- Fix License tag.
+
+-------------------------------------------------------------------
+Wed Mar  7 12:25:51 UTC 2018 - mrueckert@suse.de
+
+- added 23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch
+
+-------------------------------------------------------------------
+Wed Mar  7 12:10:44 UTC 2018 - mrueckert@suse.de
+
+- update license to SPDX-3
+
 -------------------------------------------------------------------
 Tue Mar  6 19:28:49 UTC 2018 - mrueckert@suse.de
 
@@ -21,15 +36,16 @@ Tue Mar  6 13:48:50 UTC 2018 - mrueckert@suse.de
     memory usage, causing imap-login/pop3-login VSZ limit to be
     reached and the process restarted. This happens only if Dovecot
     config has local_name { } or local { } configuration blocks and
-    attacker uses randomly generated SNI servernames.
+    attacker uses randomly generated SNI servernames. (boo#1082828)
   * CVE-2017-14461: Parsing invalid email addresses may cause a
     crash or leak memory contents to attacker. For example, these
     memory contents might contain parts of an email from another
     user if the same imap process is reused for multiple users.
     First discovered by Aleksandar Nikolic of Cisco Talos.
     Independently also discovered by "flxflndy" via HackerOne.
+    (boo#1082826)
   * CVE-2017-15132: Aborted SASL authentication leaks memory in
-    login process.
+    login process. (boo#1075608)
   * Linux: Core dumping is no longer enabled by default via
     PR_SET_DUMPABLE, because this may allow attackers to bypass
     chroot/group restrictions. Found by cPanel Security Team.

dovecot23.spec

@@ -134,8 +134,9 @@ Source9:        dovecot-2.3-pigeonhole.configfiles
 Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
 Patch2:         dovecot-2.3.0.1-over-quota-lmtp-crash.patch
+Patch3:         23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
-License:        BSD-3-Clause and LGPL-2.1+ and MIT
+License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers
 
 %description
@@ -314,6 +315,7 @@ dovecot tree.
 %patch -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 gzip -9v ChangeLog
 # Fix plugins dir.
 sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf