Version in base suite: 2.3.19.1+dfsg1-2.1+deb12u1 Version in overlay suite: 2.3.19.1+dfsg1-2.1+deb12u3 Base version: dovecot_2.3.19.1+dfsg1-2.1+deb12u3 Target version: dovecot_2.3.19.1+dfsg1-2.1+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/dovecot/dovecot_2.3.19.1+dfsg1-2.1+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/d/dovecot/dovecot_2.3.19.1+dfsg1-2.1+deb12u4.dsc changelog | 8 ++++++ patches/CVE-2026-0394-1.patch | 14 +++++----- tests/control | 4 +++ tests/debian_bug_1134464 | 54 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+), 7 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpav4mvedv/dovecot_2.3.19.1+dfsg1-2.1+deb12u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpav4mvedv/dovecot_2.3.19.1+dfsg1-2.1+deb12u4.dsc: no acceptable signature found diff -Nru dovecot-2.3.19.1+dfsg1/debian/changelog dovecot-2.3.19.1+dfsg1/debian/changelog --- dovecot-2.3.19.1+dfsg1/debian/changelog 2026-04-06 15:23:26.000000000 +0000 +++ dovecot-2.3.19.1+dfsg1/debian/changelog 2026-04-23 13:40:11.000000000 +0000 @@ -1,3 +1,11 @@ +dovecot (1:2.3.19.1+dfsg1-2.1+deb12u4) bookworm-security; urgency=medium + + * [0669596] Add tests for bug 1134464 regression + * [2660eb2] Fix regression in passwd-file path normalization in + CVE-2026-0394 fix (Closes: #1134464) + + -- Noah Meyerhans Thu, 23 Apr 2026 09:40:11 -0400 + dovecot (1:2.3.19.1+dfsg1-2.1+deb12u3) bookworm-security; urgency=medium * [4c6afb0] autopkgtests: Add managesieved authentication test diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-0394-1.patch dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-0394-1.patch --- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-0394-1.patch 2026-04-06 15:01:29.000000000 +0000 +++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2026-0394-1.patch 2026-04-23 13:28:57.000000000 +0000 @@ -8,10 +8,10 @@ src/auth/db-passwd-file.h | 2 ++ 2 files changed, 27 insertions(+) -Index: dovecot/src/auth/db-passwd-file.c +Index: 2.3/src/auth/db-passwd-file.c =================================================================== ---- dovecot.orig/src/auth/db-passwd-file.c -+++ dovecot/src/auth/db-passwd-file.c +--- 2.3.orig/src/auth/db-passwd-file.c ++++ 2.3/src/auth/db-passwd-file.c @@ -14,6 +14,7 @@ #include "str.h" #include "eacces-error.h" @@ -35,7 +35,7 @@ + /* check base path */ + const char *p; + if (*orig_path != '%' && -+ (p = strstr(orig_path, "%{")) != NULL) { ++ (p = strchr(orig_path, '%')) != NULL) { + ptrdiff_t len = p - orig_path; + if (strncmp(orig_path, normalized, len) != 0) { + *error_r = t_strdup_printf("Path is outside '%s'", @@ -51,10 +51,10 @@ static const char * path_fix(const char *path, const struct auth_request *auth_request ATTR_UNUSED) -Index: dovecot/src/auth/db-passwd-file.h +Index: 2.3/src/auth/db-passwd-file.h =================================================================== ---- dovecot.orig/src/auth/db-passwd-file.h -+++ dovecot/src/auth/db-passwd-file.h +--- 2.3.orig/src/auth/db-passwd-file.h ++++ 2.3/src/auth/db-passwd-file.h @@ -45,6 +45,8 @@ struct db_passwd_file { bool userdb_warn_missing:1; }; diff -Nru dovecot-2.3.19.1+dfsg1/debian/tests/control dovecot-2.3.19.1+dfsg1/debian/tests/control --- dovecot-2.3.19.1+dfsg1/debian/tests/control 2026-04-06 15:01:29.000000000 +0000 +++ dovecot-2.3.19.1+dfsg1/debian/tests/control 2026-04-23 13:28:57.000000000 +0000 @@ -12,3 +12,7 @@ Tests: testmails Restrictions: needs-root, breaks-testbed Depends: dovecot-imapd, dovecot-pop3d, lsb-release, python3, python3-passlib + +Tests: debian_bug_1134464 +Restrictions: needs-root, breaks-testbed, allow-stderr +Depends: dovecot-imapd diff -Nru dovecot-2.3.19.1+dfsg1/debian/tests/debian_bug_1134464 dovecot-2.3.19.1+dfsg1/debian/tests/debian_bug_1134464 --- dovecot-2.3.19.1+dfsg1/debian/tests/debian_bug_1134464 1970-01-01 00:00:00.000000000 +0000 +++ dovecot-2.3.19.1+dfsg1/debian/tests/debian_bug_1134464 2026-04-23 13:28:57.000000000 +0000 @@ -0,0 +1,54 @@ +#!/bin/sh + +set -e + +echo "Setting up dovecot for the test" +# Move aside 10-auth.conf to disable passwd-based auth +if [ -f /etc/dovecot/conf.d/10-auth.conf ]; then + mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.bak +fi + +cat >/etc/dovecot/local.conf <<-EOF + auth_mechanisms = plain + mail_location = maildir:~/Maildir + auth_verbose = yes + + passdb { + driver = passwd-file + args = username_format=%Ln /srv/dovecot/etc/vdomains/%Ld/passwd.%{if;%Ls;eq;smtp;%Ls;real} + } + + userdb { + driver = static + args = uid=nobody gid=nogroup home=/srv/dovecot-dep8/%u + } +EOF + +mkdir -p /srv/dovecot/etc/vdomains/example.com +echo 'dep8:$5$g5AtG9Qqne/tKFN9$dUEO/AaHIk8hvxZySialx3P7B0SlC1TF026IUIPQBY1:65534:65534:dovecot test user,,,:/srv/dovecot-dep8:/usr/sbin/nologin' > /srv/dovecot/etc/vdomains/example.com/passwd.real + +mkdir -p /srv/dovecot-dep8 +chown nobody:nogroup /srv/dovecot-dep8 + +echo "Restarting the service" +systemctl restart dovecot + +echo "Sending a test message via the LDA" +/usr/lib/dovecot/dovecot-lda -f "test@example.com" -d dep8@example.com < +Message-Id: +From: Test User +To: dep8 +Subject: DEP-8 test + +This is just a test +EOF + +echo "Verifying that the email was correctly delivered" +if [ -z "$(doveadm search -u dep8@example.com header message-id dep8-test-1@debian.org)" ]; then + echo "Message not found" + exit 1 +fi + +echo "Done" +echo