user/dovecot: security bump to 2.3.13

- Fix CVE-2020-25275 and CVE-2020-24386 - apop.patch is no longer needed - Added patch to handle hardcoded message differing with musl

user/dovecot: security bump to 2.3.13
d8d3b259 · Lee Starnes · 3465fcf8 · d8d3b259 · 3465fcf8 · d8d3b259
Commit d8d3b259 authored 4 years ago by Lee Starnes
--- a/user/dovecot/APKBUILD
+++ b/user/dovecot/APKBUILD
@@ -5,10 +5,10 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Lee Starnes <lee@canned-death.us>
 pkgname=dovecot
-pkgver=2.3.11.3
+pkgver=2.3.13
 _pkgvermajor=2.3
 pkgrel=0
-_pigeonholever=0.5.11
+_pigeonholever=0.5.13
 _pigeonholevermajor=${_pigeonholever%.*}
 pkgdesc="IMAP and POP3 server"
 url="https://www.dovecot.org/"
@@ -35,14 +35,17 @@ source="https://www.dovecot.org/releases/$_pkgvermajor/dovecot-$pkgver.tar.gz
 	split-protocols.patch
 	default-config.patch
 	ssl-paths.patch
+	test-file-cache-enomem.patch
 	time64.patch
-	apop.patch
 	dovecot.logrotate
 	dovecot.initd
 	"
 _builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever"

 # secfixes:
+#   2.3.13-r0:
+#     - CVE-2020-24386
+#     - CVE-2020-25275
 #   2.3.11.3-r0:
 #     - CVE-2020-12100
 #     - CVE-2020-12673
@@ -255,13 +258,13 @@ _submv() {
 	done
 }

-sha512sums="d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb  dovecot-2.3.11.3.tar.gz
-793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d  dovecot-2.3-pigeonhole-0.5.11.tar.gz
+sha512sums="758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95  dovecot-2.3.13.tar.gz
+fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3  dovecot-2.3-pigeonhole-0.5.13.tar.gz
 fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a  skip-iconv-check.patch
 794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5  split-protocols.patch
 0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07  default-config.patch
 5e68a0042a7c11b3d8c411fc157f5960e2e3305dac11f4b6b880441e2b4105769ddf6c56f67a995af6e1a58f3bfa2c199ea51318a3a0e37c7ef0ae6c4109b13f  ssl-paths.patch
+277d0b55583908cd6c063fb190eb3d2a362a3a33306e35a069a0bca28968f11627c455887d82d01884313b7f7e18530c056bd7a4cda0a1f9c4be7065cd033aa9  test-file-cache-enomem.patch
 ee2e1916c712db77409567b4ded9c7fb7dfed295e044c19694bc369af3d4a7086caf14e97809531f76b630bc578271af6e5137985b7d4e8d2afb2a71f800912f  time64.patch
-7831276d17386b204ca3aed7fdd9439f00230aa345b367567133d568c07a92bec80ca7512c20b80f692f7f6809cf4a27398c9915aae763e0c9f641650540a73b  apop.patch
 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0  dovecot.logrotate
 d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70  dovecot.initd"
--- a/user/dovecot/apop.patch
+++ b/user/dovecot/apop.patch
-From d1c5d356f36aaf9c32708cc6960fcaebe1cf6e63 Mon Sep 17 00:00:00 2001
-From: Paul Howarth <paul@city-fan.org>
-Date: Sun, 16 Aug 2020 20:32:03 +0100
-Subject: [PATCH] Fix APOP test failure on 32-bit systems
-
-The challenge timestamp is read as a hex number in mech_apop_auth_initial()
-so it should be written as hex, not decimal.
-
-Also fix compiler warnings for 32-bit architectures.
---
- src/auth/test-mech.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
-index cf05370035..db9f85ccfc 100644
--- a/src/auth/test-mech.c
-+++ b/src/auth/test-mech.c
-@@ -192,11 +192,11 @@ static void test_mech_handle_challenge(struct auth_request *request,
- }
- 
- static inline const unsigned char *
-test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r)
-+test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r)
- {
- 	string_t *apop_challenge = t_str_new(128);
- 
-	str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(),
-+	str_printfa(apop_challenge,"<%lx.%u.%"PRIxTIME_T"", (unsigned long) getpid(),
- 		    connect_uid, process_start_time+10);
- 	str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26);
- 	*len_r = apop_challenge->used;
-@@ -323,7 +323,7 @@ static void test_mechs(void)
- 		struct test_case *test_case = &tests[running_test];
- 		const struct mech_module *mech = test_case->mech;
- 		struct auth_request *request;
-		const char *testname = t_strdup_printf("auth mech %s %d/%lu",
-+		const char *testname = t_strdup_printf("auth mech %s %d/%zu",
- 						       mech->mech_name,
- 						       running_test+1,
- 						       N_ELEMENTS(tests));
--- a/user/dovecot/test-file-cache-enomem.patch
+++ b/user/dovecot/test-file-cache-enomem.patch
+--- a/src/lib/test-file-cache.c	2021-01-05 14:10:50.160000000 +0000
+++ b/src/lib/test-file-cache.c	2021-01-05 14:10:50.160000000 +0000
+@@ -263,7 +263,7 @@
+ 	};
+ 	const char *errstr =
+ 		t_strdup_printf("mmap_anon(.test_file_cache, %zu) failed: "
+-				"Cannot allocate memory", page_size);
+               "Out of memory", page_size);
+ 	test_assert(setrlimit(RLIMIT_AS, &rl_new) == 0);
+ 	test_expect_error_string(errstr);
+ 	test_assert(file_cache_set_size(cache, 1024) == -1);
+@@ -271,7 +271,7 @@
+ 
+ 	/* same for mremap */
+ 	errstr = t_strdup_printf("mremap_anon(.test_file_cache, %zu) failed: "
+-				 "Cannot allocate memory", page_size*2);
+                "Out of memory", page_size*2);
+ 	test_assert(file_cache_set_size(cache, 1) == 0);
+ 	test_assert(setrlimit(RLIMIT_AS, &rl_new) == 0);
+ 	test_expect_error_string(errstr);