[arch-commits] Commit in dovecot/trunk (CVE-2015-3420.patch PKGBUILD)

Andreas Radke andyrtr at archlinux.org
Tue Apr 28 19:13:10 UTC 2015 

    Date: Tuesday, April 28, 2015 @ 21:13:10
  Author: andyrtr
Revision: 238228

upgpkg: dovecot 2.2.16-2

FS#44757

Added:
  dovecot/trunk/CVE-2015-3420.patch
Modified:
  dovecot/trunk/PKGBUILD

---------------------+
 CVE-2015-3420.patch |   58 ++++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD            |    9 ++++++-
 2 files changed, 65 insertions(+), 2 deletions(-)

Added: CVE-2015-3420.patch
===================================================================
--- CVE-2015-3420.patch	                        (rev 0)
+++ CVE-2015-3420.patch	2015-04-28 19:13:10 UTC (rev 238228)
@@ -0,0 +1,58 @@
+
+diff -r a2d342257b25 -r 86f535375750 src/login-common/ssl-proxy-openssl.c
+--- a/src/login-common/ssl-proxy-openssl.c	Sat Apr 25 12:16:07 2015 +0300
++++ b/src/login-common/ssl-proxy-openssl.c	Tue Apr 28 11:27:04 2015 +0200
+@@ -80,6 +80,7 @@
+ 	unsigned int cert_broken:1;
+ 	unsigned int client_proxy:1;
+ 	unsigned int flushing:1;
++	unsigned int failed:1;
+ };
+ 
+ struct ssl_parameters {
+@@ -131,6 +132,12 @@
+ static int ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set);
+ #endif
+ 
++static void ssl_proxy_destroy_failed(struct ssl_proxy *proxy)
++{
++	proxy->failed = TRUE;
++	ssl_proxy_destroy(proxy);
++}
++
+ static unsigned int ssl_server_context_hash(const struct ssl_server_context *ctx)
+ {
+ 	unsigned int i, g, h = 0;
+@@ -462,7 +469,7 @@
+ 
+ 	if (errstr != NULL) {
+ 		proxy->last_error = i_strdup(errstr);
+-		ssl_proxy_destroy(proxy);
++		ssl_proxy_destroy_failed(proxy);
+ 	}
+ 	ssl_proxy_unref(proxy);
+ }
+@@ -492,7 +499,7 @@
+ 
+ 	if (proxy->handshake_callback != NULL) {
+ 		if (proxy->handshake_callback(proxy->handshake_context) < 0)
+-			ssl_proxy_destroy(proxy);
++			ssl_proxy_destroy_failed(proxy);
+ 	}
+ }
+ 
+@@ -822,7 +829,8 @@
+ 	if (proxy->destroyed || proxy->flushing)
+ 		return;
+ 	proxy->flushing = TRUE;
+-	ssl_proxy_flush(proxy);
++	if (!proxy->failed && proxy->handshaked)
++		ssl_proxy_flush(proxy);
+ 	proxy->destroyed = TRUE;
+ 
+ 	ssl_proxy_count--;
+
+
+
+
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-04-28 15:25:17 UTC (rev 238227)
+++ PKGBUILD	2015-04-28 19:13:10 UTC (rev 238228)
@@ -9,7 +9,7 @@
 
 pkgname=dovecot
 pkgver=2.2.16
-pkgrel=1
+pkgrel=2
 pkgdesc="An IMAP and POP3 server written with security primarily in mind"
 arch=('i686' 'x86_64')
 url="http://dovecot.org/"
@@ -23,15 +23,20 @@
 provides=('imap-server' 'pop3-server')
 install=$pkgname.install
 source=(http://dovecot.org/releases/2.2/${pkgname}-${pkgver}.tar.gz{,.sig}
+        CVE-2015-3420.patch
         dovecot.tmpfilesd)
 md5sums=('8dba21e817b4239e462d98a925233418'
          'SKIP'
+         '730366bb5895a3092f1b6511e254709a'
          '342a28251d40f983c98c0d1f1bf3d07d')
 validpgpkeys=('E643F0BDFDCD04D9FFCB6279C948525140558AC9') # Timo Sirainen <tss at iki.fi>
 
 prepare() {
   cd $pkgname-$pkgver
-
+  
+  # https://bugs.archlinux.org/task/44757
+  patch -Np1 -i ${srcdir}/CVE-2015-3420.patch
+  
   # fix path in helper script
   sed -i 's:OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}:OPENSSLCONFIG=${OPENSSLCONFIG- /etc/ssl/dovecot-openssl.cnf}:' doc/mkcert.sh
 }

More information about the arch-commits mailing list