Control: severity -1 serious
I think this warrants RC severity, so it gets fixed before buster is released.
Thanks for the detailed report and the analysis!
Ondrej
--
Ondřej Surý
ond...@sury.org
> On 17 Apr 2019, at 11:27, Kim-Alexander Brodowski <kim.brodow...@iserv.eu>
> wrote:
>
> Good morning,
>
> I've figured out what the issue is. Sadly the Cyrus 3 upgrade guide is quite
> lacking. The segfault mentioned before is caused by outdated sieve script
> bytecode. You need to manually recompile all sieve scripts using:
>
> su cyrus -c '/usr/lib/cyrus/upgrade/masssievec /usr/lib/cyrus/bin/sievec'
>
> Furthermore sieve script paths have changed. Again this doesn't appear to be
> mentioned in the upgrade guides. I was aware of this change before filing
> this bug, but didn't bring it up here, since it seemed irrelevant. It is not,
> since my migration is what actually caused the issue. This should be fixed
> using Debian maintainer scripts as well since the current state will cause
> data loss and unexpected behaviour, because existing sieve scripts will be
> inaccessible to (non-root) users and no longer do their job. You can migrate
> the paths using:
>
> find /var/spool/sieve/ -type d -regextype sed -regex '.*/[^/]\+^[^/]\+'
> -print | awk '{system("mv " $0 " " gensub("\\^", ".", "g", $1))}'
>
> (This is a bit of hack that only takes our setups into account. Might need
> changes for the broader Debian ecosystem)
>
> Don't forget to recompile the scripts with the command above afterwards.
>
> This leaves me with 2 more issues: Vacation still doesn't appear to work
> correctly. I'd kindly ask someone to help me look into that. We also appear
> to have issues with squatter, but I'm not quite ready yet to make statements
> about that publicly.
>
> P.S. I don't usually do lower level programming, but from my understanding
> there is at least a chance that the segfault might cause security issues that
> could potentially be exploited, since sieve scripts are indirectly created by
> unprivileged users. I leave that assessment to somebody else.
>
> --
> Kind regards,
> Kim-Alexander Brodowski
>
> IServ GmbH
> Bültenweg 73
> 38106 Braunschweig
>
> Telefon: +49 531 22 43 666-0
> Mobil: +49 152 55 17 55 16
> Fax: +49 531 22 43 666-9
> E-Mail: kim.brodow...@iserv.eu
> Internet: https://iserv.eu
>
> USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
> Geschäftsführer: Benjamin Heindl, Martin Hüppe, Jörg Ludwig
>
