November 2006 - Dovecot-news

1.0.rc15 released
by Timo Sirainen 19 Nov '06

19 Nov '06

http://dovecot.org/releases/dovecot-1.0.rc15.tar.gz http://dovecot.org/releases/dovecot-1.0.rc15.tar.gz.sig * Fixed an off-by-one buffer overflow in cache file handling. The code is executed only with mmap_disable=yes and only if index files are used (ie. INDEX=MEMORY is safe). * passdb checkpassword: Handle vpopmail's non-standard exit codes. - rc14 sometimes assert-crashed if .log.2 file existed in a mailbox (earlier versions leaked memory and file descriptors) - io_add() assert-crashfixes - Potential SSL hang fix at the beginning of the connection

1 0

Security hole #2: Off-by-one buffer overflow with mmap_disable=yes
by Timo Sirainen 19 Nov '06

19 Nov '06

Version: 1.0test53 .. 1.0.rc14 (ie. all 1.0alpha, 1.0beta and 1.0rc versions so far). 0.99.x versions are safe (they don't even have mmap_disable setting). Problem: When mmap_disable=yes setting is used, dovecot.index.cache file is read to memory using "file cache" code. It contains a "mapped pages" bitmask buffer. In some conditions when updating the buffer it allocates one byte too little. Exploitability: I think it's going to be pretty difficult to cause anything else than a crash, but I wouldn't say impossible. Only logged in IMAP/POP3 users can exploit this. In theory you might be able to exploit this for other users as well by sending them a lot of specially crafted emails, but this requires knowing what dovecot.index.cache file contains. Normally its contents can't be predicted, although perhaps with POP3 users it gets empty often enough that the exploit could be tried. Then again, the exploit requires having at least 4MB cache file, which won't happen with POP3 users before the mailbox has about 170k mails (if I counted right). With IMAP the cache file is used more, so it's easier to fill the 4MB with for example a lot of To-headers. Workaround: Use INDEX=MEMORY so the cache files aren't used at all. Fix: 1.0.rc15 fixes this. You can also use this patch: http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff

1 0

1.0.rc14 released
by Timo Sirainen 12 Nov '06

12 Nov '06

http://dovecot.org/releases/dovecot-1.0.rc14.tar.gz http://dovecot.org/releases/dovecot-1.0.rc14.tar.gz.sig More fixes. "Duplicate header extension keywords" is the only known problem (or if I forgot something, remind me). I'll try to figure out a way to reproduce it easily and then get it fixed. * LDAP: Don't try to use ldap_bind() with empty passwords, since Windows 2003 AD skips password checking with them and just returns success. * verbose_ssl=yes: Don't bother logging "syscall failed: EOF" messages. No-one cares about them. + Dovecot sources should now compile without any warnings with gcc 3.2+ - rc13 crashed if client disconnected while IDLEing - LDAP: auth_bind=yes fixes - %variables: Fixed zero padding handling and documented it. %0.1n shouldn't enable it, and it really shouldn't stay for the next %variable. -sign also shouldn't stay for the next variable. - Don't leak opened .log.2 transaction logs. - Fixed a potential hang in IDLE command (probably really rare). - Fixed potential problems with client disconnecting while master was handling the login. - quota plugin didn't work in Mac OS X

1 0

1.0.rc13 released
by Timo Sirainen 08 Nov '06

08 Nov '06

http://dovecot.org/releases/dovecot-1.0.rc13.tar.gz http://dovecot.org/releases/dovecot-1.0.rc13.tar.gz.sig I'll just keep on making new releases now whenever something important is fixed. Hopefully there shouldn't be many left anymore. Most of the bugs fixed in this release were found by stress testing with my imaptest tool (http://dovecot.org/tools/imaptest.c) If you're interested in knowing how perfectly your Dovecot setup works (especially if you're using NFS), you could try the tool yourself also. I still see one crash with mmap_disable=yes, but it's pretty rare. Will see if I get it fixed before v1.0, but it's not that important. + deliver: If we're executing as a normal system user, get the HOME environment from passwd if it's not set. This makes it possible to run deliver from .forward. - Older compilers caused LDAP authentication to crash - Dying LDAP connections weren't handled exactly correctly in rc11, although it seemed to work usually - Fixed crashes and memory leaks with AUTHENTICATE command - Fixed crashes and leaks with IMAP/POP3 proxying - maildir: Changing a mailbox while another process was saving a message there at the same may have caused the changes to not be made into the maildir, which could have caused other problems later..

1 0

1.0.rc12 released
by Timo Sirainen 05 Nov '06

05 Nov '06

http://dovecot.org/releases/dovecot-1.0.rc12.tar.gz http://dovecot.org/releases/dovecot-1.0.rc12.tar.gz.sig Since rc11 has problems compiling with BSDs, here's a new release. Just two changes: - rc11 didn't compile with some compilers - default_mail_env fallbacking was broken with --exec-mail Here's also again the rc11 changes: * Renamed default_mail_env to mail_location. default_mail_env still works for backwards compatibility. * deliver: When sending rejects, don't include Content-Type in the rejected mail's headers. * LDAP changes: * If auth binds are used, bind back to the default dn before doing a search. Otherwise it could fail if a user gave an invalid password. * Initial binding at connect is now done asynchronously. * Use pass_attrs even with auth_bind=yes since it may contain useful non-password fields. + passdb checkpassword: Give TCPLOCALIP and TCPREMOTEIP and PROTO=TCP environments to the checkpassword binary so we're UCSPI (and vchkpw) compatible. - mbox handling was a bit broken in rc10 - Using Dovecot via inetd kept crashing dovecot master - deliver: Don't crash with -f "". Changed the default from envelope to be "MAILER-DAEMON". - INBOX wasn't shown with LSUB command if only prefixed namespaces were used. - passdb ldap: Reconnecting to LDAP server wasn't working with auth binds. - passdb sql: Non-plaintext authentication didn't work - MySQL passdb ignored all non-password checks, such as allow_nets - trash plugin was broken

1 0

1.0.rc11 released
by Timo Sirainen 04 Nov '06

04 Nov '06

http://dovecot.org/releases/dovecot-1.0.rc11.tar.gz http://dovecot.org/releases/dovecot-1.0.rc11.tar.gz.sig Hopefully the last RC release? As far as I know there are no major problems left now. If nothing big shows up, v1.0 should be out in a couple of weeks. * Renamed default_mail_env to mail_location. default_mail_env still works for backwards compatibility. * deliver: When sending rejects, don't include Content-Type in the rejected mail's headers. * LDAP changes: * If auth binds are used, bind back to the default dn before doing a search. Otherwise it could fail if a user gave an invalid password. * Initial binding at connect is now done asynchronously. * Use pass_attrs even with auth_bind=yes since it may contain useful non-password fields. + passdb checkpassword: Give TCPLOCALIP and TCPREMOTEIP and PROTO=TCP environments to the checkpassword binary so we're UCSPI (and vchkpw) compatible. - mbox handling was a bit broken in rc10 - Using Dovecot via inetd kept crashing dovecot master - deliver: Don't crash with -f "". Changed the default from envelope to be "MAILER-DAEMON". - INBOX wasn't shown with LSUB command if only prefixed namespaces were used. - passdb ldap: Reconnecting to LDAP server wasn't working with auth binds. - passdb sql: Non-plaintext authentication didn't work - MySQL passdb ignored all non-password checks, such as allow_nets - trash plugin was broken

1 0