commit: c313f2e300d5c9306cc346201d69b8fd89229aca Author: Eray Aslan <eras <AT> gentoo <DOT> org> AuthorDate: Mon Oct 6 07:22:19 2025 +0000 Commit: Eray Aslan <eras <AT> gentoo <DOT> org> CommitDate: Mon Oct 6 07:25:32 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c313f2e3
net-mail/dovecot: Backport fixes Three fixes backported from the dovecot main tree: - ldap-sasl auth (commit 431e328) - anvil group change (commit beca41c) - crash on config reload (commit 9240e3a) Closes: https://bugs.gentoo.org/962939 Signed-off-by: Eray Aslan <eras <AT> gentoo.org> net-mail/dovecot/dovecot-2.4.1-r5.ebuild | 262 +++++++++++++++++++++ .../dovecot/files/dovecot-2.4.1-anvil-group.patch | 26 ++ .../dovecot/files/dovecot-2.4.1-config-crash.patch | 44 ++++ .../files/dovecot-2.4.1-fix-ldap-sasl.patch | 65 +++++ 4 files changed, 397 insertions(+) diff --git a/net-mail/dovecot/dovecot-2.4.1-r5.ebuild b/net-mail/dovecot/dovecot-2.4.1-r5.ebuild new file mode 100644 index 000000000000..d23aa151971a --- /dev/null +++ b/net-mail/dovecot/dovecot-2.4.1-r5.ebuild @@ -0,0 +1,262 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +LUA_COMPAT=( lua5-1 lua5-{3..4} ) +# do not add a ssl USE flag. ssl is mandatory +SSL_DEPS_SKIP=1 +inherit autotools eapi9-ver flag-o-matic lua-single ssl-cert systemd toolchain-funcs + +MY_P="${P/_/.}-4" +MY_PV="${PV}-4" +major_minor="$(ver_cut 1-2)" + +DESCRIPTION="An IMAP and POP3 server written with security primarily in mind" +HOMEPAGE="https://www.dovecot.org/"; +SRC_URI="https://www.dovecot.org/releases/${major_minor}/${MY_P}.tar.gz \ + -> ${P}.tar.gz + sieve? ( + https://pigeonhole.dovecot.org/releases/${major_minor}/${PN}-pigeonhole-${MY_PV}.tar.gz \ + -> ${PN}-pigeonhole-${PV}.tar.gz + ) + managesieve? ( + https://pigeonhole.dovecot.org/releases/${major_minor}/${PN}-pigeonhole-${MY_PV}.tar.gz \ + -> ${PN}-pigeonhole-${PV}.tar.gz + ) " +S="${WORKDIR}/${MY_P}" +PIEGONHOLE_S="../dovecot-pigeonhole-${MY_PV}" +LICENSE="LGPL-2.1 MIT" +SLOT="0/${PV}" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + +IUSE_DOVECOT_AUTH_DICT="cdb kerberos ldap lua mysql pam postgres sqlite" +IUSE_DOVECOT_COMPRESS="lz4 zstd" +IUSE_DOVECOT_FTS="solr stemmer textcat xapian" +IUSE_DOVECOT_OTHER="argon2 managesieve selinux sieve static-libs suid systemd test unwind" + +IUSE="${IUSE_DOVECOT_AUTH_DICT} ${IUSE_DOVECOT_COMPRESS} ${IUSE_DOVECOT_FTS} ${IUSE_DOVECOT_OTHER}" + +REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} )" +RESTRICT="!test? ( test )" + +DEPEND=" + app-arch/bzip2 + dev-libs/icu:= + dev-libs/openssl:0= + net-libs/libtirpc:= + net-libs/rpcsvc-proto + sys-libs/libcap + sys-libs/zlib:= + virtual/libiconv + argon2? ( dev-libs/libsodium:= ) + cdb? ( dev-db/tinycdb ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + lua? ( ${LUA_DEPS} ) + xapian? ( dev-libs/xapian:= ) + lz4? ( app-arch/lz4 ) + mysql? ( dev-db/mysql-connector-c:0= ) + pam? ( sys-libs/pam:= ) + postgres? ( dev-db/postgresql:* ) + selinux? ( sec-policy/selinux-dovecot ) + solr? ( net-misc/curl dev-libs/expat ) + sqlite? ( dev-db/sqlite:* ) + stemmer? ( dev-libs/snowball-stemmer:= ) + suid? ( acct-group/mail ) + systemd? ( sys-apps/systemd:= ) + textcat? ( app-text/libexttextcat ) + unwind? ( sys-libs/libunwind:= ) + zstd? ( app-arch/zstd:= ) + virtual/libcrypt:= + " + +RDEPEND=" + ${DEPEND} + acct-group/dovecot + acct-group/dovenull + acct-user/dovecot + acct-user/dovenull + net-mail/mailbase[pam?] + " + +BDEPEND="virtual/pkgconfig + test? ( + lua? ( + $(lua_gen_cond_dep ' + dev-lua/luajson[${LUA_USEDEP}] + ') + ) + ) + " + +PATCHES=( + "${FILESDIR}/${PN}-autoconf-lua-version-v3.patch" + "${FILESDIR}/${PN}-2.4.1-gssapi-regression.patch" + "${FILESDIR}/${PN}-2.4.1-fix-hardened-crash.patch" + "${FILESDIR}/${PN}-2.4.1-fix-musl-build.patch" + "${FILESDIR}/${PN}-2.4.1-crash-on-arm.patch" + "${FILESDIR}/${PN}-2.4.1-trivial-auto-var-init-attrib.patch" + "${FILESDIR}/${PN}-2.4.1-fix-ldap-sasl.patch" + "${FILESDIR}/${PN}-2.4.1-anvil-group.patch" + "${FILESDIR}/${PN}-2.4.1-config-crash.patch" +) + +pkg_setup() { + use lua && lua-single_pkg_setup + if use managesieve && ! use sieve; then + ewarn "managesieve USE flag selected but sieve USE flag unselected" + ewarn "sieve USE flag will be turned on" + fi +} + +src_prepare() { + default + if use sieve || use managesieve; then + pushd "${PIEGONHOLE_S}" > /dev/null || die + eapply "${FILESDIR}/${PN}-2.4.1-fix-ldap-build.patch" + popd > /dev/null || die + fi + + # rename default cert files + sed -i -e "s:ssl-cert.pem:server.pem:" \ + -e "s:ssl-key.pem:server.key:" \ + doc/dovecot.conf.in || die "sed failed" + + # bug 657108, 782631 + #elibtoolize + eautoreconf + + # Bug #727244 + append-cflags -fasynchronous-unwind-tables +} + +src_configure() { + # --disable-hardening because our toolchain already defaults to + # these bits on, and it actually regresses the default _FORTIFY_SOURCE + # level for hardened at least from 3 to 2. + # + # turn valgrind tests off. Bug #340791 + VALGRIND=no \ + LUAPC="${ELUA}" \ + systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + econf \ + --with-rundir="${EPREFIX}/run/dovecot" \ + --with-statedir="${EPREFIX}/var/lib/dovecot" \ + --with-moduledir="${EPREFIX}/usr/$(get_libdir)/dovecot" \ + --disable-hardening \ + --disable-rpath \ + --with-bzlib \ + --without-libbsd \ + --with-libcap \ + --with-icu \ + --enable-experimental-mail-utf8 \ + $( use_with argon2 sodium ) \ + $( use_with cdb) \ + $( use_with kerberos gssapi ) \ + $( use_with lua ) \ + $( use_with ldap ) \ + $( use_with xapian flatcurve ) \ + $( use_with lz4 ) \ + $( use_with mysql ) \ + $( use_with pam ) \ + $( use_with postgres pgsql ) \ + $( use_with sqlite ) \ + $( use_with solr ) \ + $( use_with stemmer ) \ + $( use_with systemd ) \ + $( use_with textcat ) \ + $( use_with unwind libunwind ) \ + $( use_with zstd ) \ + $( use_enable static-libs static ) + + if use sieve || use managesieve; then + # The sieve plugin needs this file to be build to determine the plugin + # directory and the list of libraries to link to + emake dovecot-config + pushd "${PIEGONHOLE_S}" > /dev/null || die + econf \ + $( use_enable static-libs static ) \ + --localstatedir="${EPREFIX}/var" \ + --enable-shared \ + --disable-hardening \ + --with-dovecot="${S}" \ + $( use_with ldap ) \ + $( use_with managesieve ) + popd > /dev/null || die + fi +} + +src_compile() { + default + if use sieve || use managesieve; then + pushd "${PIEGONHOLE_S}" > /dev/null || die + emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" + popd > /dev/null || die + fi +} + +src_test() { + # bug #340791 and bug #807178 + local -x NOVALGRIND=true + + default + if use sieve || use managesieve; then + pushd "${PIEGONHOLE_S}" > /dev/null || die + default + popd > /dev/null || die + fi +} + +src_install() { + default + + if use suid; then + einfo "Changing perms to allow deliver to be suided" + fowners root:mail "/usr/libexec/dovecot/dovecot-lda" + fperms 4750 "/usr/libexec/dovecot/dovecot-lda" + fi + + newinitd "${FILESDIR}"/dovecot.init-r6 dovecot + + use pam && dosym imap /etc/pam.d/dovecot + + insinto /etc/dovecot/conf.d + doins "${FILESDIR}/50-misc.conf" + + dodoc AUTHORS NEWS README.md TODO + docinto stopwords + dodoc src/lib-language/stopwords/stopwords*.txt + + if use sieve || use managesieve; then + pushd "${PIEGONHOLE_S}" > /dev/null || die + emake DESTDIR="${ED}" install + + newdoc README README.pigeonhole + insinto /etc/dovecot/conf.d + doins doc/example-config/conf.d/90-sieve{,-extprograms}.conf + use managesieve && doins doc/example-config/conf.d/20-managesieve.conf + popd > /dev/null || die + fi + + rm -r "${ED}"/usr/share/dovecot + use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete +} + +pkg_postinst() { + if ver_replacing -lt 2.4 ; then + # This is an upgrade which requires user review + ewarn "Dovecot-2.4.x has new settings and WILL NOT work" + ewarn "unless the configuration files are updated." + ewarn "Please read the migration guide at:" + ewarn " https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html"; + fi + + # Let's not make a new certificate if we already have one + if ! [[ -e "${ROOT}"/etc/ssl/dovecot/server.pem && \ + -e "${ROOT}"/etc/ssl/dovecot/server.key ]]; then + einfo "Creating SSL certificate" + SSL_ORGANIZATION="${SSL_ORGANIZATION:-Dovecot IMAP Server}" + install_cert /etc/dovecot/server + fi +} diff --git a/net-mail/dovecot/files/dovecot-2.4.1-anvil-group.patch b/net-mail/dovecot/files/dovecot-2.4.1-anvil-group.patch new file mode 100644 index 000000000000..44941357f275 --- /dev/null +++ b/net-mail/dovecot/files/dovecot-2.4.1-anvil-group.patch @@ -0,0 +1,26 @@ +# bug 962939 +diff --git a/src/anvil/anvil-settings.c b/src/anvil/anvil-settings.c +index cf96ae7e1f4..15cd03957a1 100644 +--- a/src/anvil/anvil-settings.c ++++ b/src/anvil/anvil-settings.c +@@ -33,7 +33,8 @@ const struct setting_keyvalue anvil_service_settings_defaults[] = { + { "unix_listener", "anvil anvil-auth-penalty" }, + + { "unix_listener/anvil/path", "anvil" }, +- { "unix_listener/anvil/mode", "0600" }, ++ { "unix_listener/anvil/mode", "0660" }, ++ { "unix_listener/anvil/group", "$SET:default_internal_group" }, + + { "unix_listener/anvil-auth-penalty/path", "anvil-auth-penalty" }, + #ifdef DOVECOT_PRO_EDITION +diff --git a/src/lib-settings/settings-history-core.txt b/src/lib-settings/settings-history-core.txt +index 2e0a9f6062d..71d08ffaaa5 100644 +--- a/src/lib-settings/settings-history-core.txt ++++ b/src/lib-settings/settings-history-core.txt +@@ -1,4 +1,6 @@ + default service/lmtp/service_restart_request_count unlimited 2.4.1 + default service/auth/unix_listener/auth-userdb/unix_listener_group 2.4.1 ++default service/anvil/unix_listener/anvil/unix_listener_mode 0600 2.4.1 ++default service/anvil/unix_listener/anvil/unix_listener_group 2.4.1 + default mail_cache_fields flags 2.4.1 + default lmtp_user_concurrency_limit 0 2.4.1 diff --git a/net-mail/dovecot/files/dovecot-2.4.1-config-crash.patch b/net-mail/dovecot/files/dovecot-2.4.1-config-crash.patch new file mode 100644 index 000000000000..d5897c942fb6 --- /dev/null +++ b/net-mail/dovecot/files/dovecot-2.4.1-config-crash.patch @@ -0,0 +1,44 @@ +From 9240e3a4386808789d593537a8ebe3e873e89683 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <[email protected]> +Date: Tue, 15 Jul 2025 12:32:23 +0300 +Subject: [PATCH] lib: Fix crash when config is reloaded and logging to syslog + +openlog() was called with a string pointing to settings. When settings were +reloaded, the pointer became invalid, causing syslog() to crash. +--- + src/lib/failures.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/lib/failures.c b/src/lib/failures.c +index eae2d8ddf88..49b0681607e 100644 +--- a/src/lib/failures.c ++++ b/src/lib/failures.c +@@ -56,6 +56,7 @@ static struct failure_context failure_ctx_error = { .type = LOG_TYPE_ERROR }; + + static int log_fd = STDERR_FILENO, log_info_fd = STDERR_FILENO, + log_debug_fd = STDERR_FILENO; ++static char *syslog_ident = NULL; + static char *log_prefix = NULL; + static char *log_stamp_format = NULL, *log_stamp_format_suffix = NULL; + static bool failure_ignore_errors = FALSE, log_prefix_sent = FALSE; +@@ -657,7 +658,11 @@ void i_syslog_error_handler(const struct failure_context *ctx, + + void i_set_failure_syslog(const char *ident, int options, int facility) + { +- openlog(ident, options, facility); ++ /* openlog() keeps using the pointer directly. Duplicate it in case ++ caller frees the string. */ ++ i_free(syslog_ident); ++ syslog_ident = i_strdup(ident); ++ openlog(syslog_ident, options, facility); + + i_set_fatal_handler(i_syslog_fatal_handler); + i_set_error_handler(i_syslog_error_handler); +@@ -1006,6 +1011,7 @@ void failures_deinit(void) + i_free_and_null(log_prefix); + i_free_and_null(log_stamp_format); + i_free_and_null(log_stamp_format_suffix); ++ i_free(syslog_ident); + } + + #undef i_unreached diff --git a/net-mail/dovecot/files/dovecot-2.4.1-fix-ldap-sasl.patch b/net-mail/dovecot/files/dovecot-2.4.1-fix-ldap-sasl.patch new file mode 100644 index 000000000000..7afea282486c --- /dev/null +++ b/net-mail/dovecot/files/dovecot-2.4.1-fix-ldap-sasl.patch @@ -0,0 +1,65 @@ +From 431e328b3b035ddb187526cd13bccf29833aed90 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <[email protected]> +Date: Mon, 2 Jun 2025 20:42:03 +0300 +Subject: [PATCH] auth: Fix LDAP SASL support + +The settings code didn't see the necessary defines. + +Based on patch by Jakob Haufe + +Broken by 961275fdb54878fdfa4ee1b9f1a4f00e82bf4a83 +--- + src/auth/db-ldap-settings.h | 14 ++++++++++++++ + src/auth/db-ldap.c | 11 ----------- + 2 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/src/auth/db-ldap-settings.h b/src/auth/db-ldap-settings.h +index dc341dd3943..a5f2d09fa38 100644 +--- a/src/auth/db-ldap-settings.h ++++ b/src/auth/db-ldap-settings.h +@@ -1,6 +1,20 @@ + #ifndef DB_LDAP_SETTINGS_H + #define DB_LDAP_SETTINGS_H + ++/* <settings checks> */ ++#define HAVE_LDAP_SASL ++#ifdef HAVE_SASL_SASL_H ++# include <sasl/sasl.h> ++#elif defined (HAVE_SASL_H) ++# include <sasl.h> ++#else ++# undef HAVE_LDAP_SASL ++#endif ++#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2 ++# undef HAVE_LDAP_SASL ++#endif ++/* </settings checks> */ ++ + enum db_ldap_lookup_type { + DB_LDAP_LOOKUP_TYPE_PASSDB, + DB_LDAP_LOOKUP_TYPE_USERDB, +diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c +index 9dcebedd57e..302faf38f43 100644 +--- a/src/auth/db-ldap.c ++++ b/src/auth/db-ldap.c +@@ -22,20 +22,9 @@ + + #include <unistd.h> + +-#define HAVE_LDAP_SASL +-#ifdef HAVE_SASL_SASL_H +-# include <sasl/sasl.h> +-#elif defined (HAVE_SASL_H) +-# include <sasl.h> +-#else +-# undef HAVE_LDAP_SASL +-#endif + #ifdef LDAP_OPT_X_TLS + # define OPENLDAP_TLS_OPTIONS + #endif +-#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2 +-# undef HAVE_LDAP_SASL +-#endif + + #ifndef LDAP_SASL_QUIET + # define LDAP_SASL_QUIET 0 /* Doesn't exist in Solaris LDAP */
