dovecot security update (5.1) breaks mysql

Bug #49601 reported by Trent Lloyd on 2006-06-13
256
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
High
Martin Pitt

Bug Description

Binary package hint: dovecot

I am running two servers, one with 1.0.beta3-3ubuntu5 (which works) and a new one I was just setting up today with 1.0.beta3-3ubuntu5.1 that doesn't work.

Below is my configuration (dumbed down, i usually have far more complex queries but these break it just the same):
user_query = SELECT '/srv/mail/t/thiat.net/l' as userdb_home 2000 as userdb_uid, 2000 as userdb_gid FROM svc_mail;
password_query = SELECT '<email address hidden>' as user, 'something' as password, '/srv/mail/t/thiat.net/l'

It's also worth noting a combined userdb/passdb query has the same effect:
password_query = SELECT '<email address hidden>' as user, 'something' as password, '/srv/mail/t/thiat.net/l' as userdb_home 2000 as userdb_uid, 2000 as userdb_gid FROM svc_mail;

And the following on dovecot.conf:

  passdb sql {
    # Path for SQL configuration file, see /etc/dovecot/dovecot-sql.conf for
    # example
    args = /etc/dovecot/dovecot-sql.conf
  }

When testing with a non-combined passdb, this was duplicated for userdb

I've done a fair bit of stracing and what not, I can't really figure out whats causing it other than in the logs you get this, it shows it connecting then dying:
Jun 13 23:40:49 gaz dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=POP3^Isecured^Ilip=127.0.0.1^Irip=127.0.0.1^Iresp=<hidden>
Jun 13 23:40:49 gaz dovecot: child 18673 (auth-worker) killed with signal 11
Jun 13 23:40:51 gaz dovecot: auth(default): client out: FAIL^I1^<email address hidden>^Itemp
Jun 13 23:40:53 gaz dovecot: pop3-login: Disconnected: user=<email address hidden>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

mysql logs show this:

060613 23:33:08 171 Connect dovecot@gaz-nfs on conventia_development

(and thats all, everytime, nothing else)

If I downgrade the 5.1 machien to 5.0, it instantly works, just as the other 5.0 machine does, upgrade, breaks again,.

Trent Lloyd (lathiat) wrote :

Bumping to high and assigning to pitti at his request

Changed in dovecot:
assignee: nobody → pitti
importance: Untriaged → High
Trent Lloyd (lathiat) wrote :

It's worth noting downgrading dovecot-common alone is enough to fix it, i beleive its the auth-worker thats crashing.

Martin Pitt (pitti) wrote :

Can reproduce it here, I'm debugging this ATM.

Changed in dovecot:
status: Unconfirmed → In Progress
Martin Pitt (pitti) wrote :

Found the issue, I uploaded a fixed dovecot into the dapper-security queue. It's currently blocked by the mirroring problems, but that should be resolved soon. Thanks for the report and sorry for screwing up.

Changed in dovecot:
status: In Progress → Fix Committed
Trent Lloyd (lathiat) wrote :

Thanks martin, haven't appeared yet but I will test them out when I do

What was the problem?

dovecot_1.0.beta3-3ubuntu5.2.diff.gz

dovecot_1.0.beta3-3ubuntu5.2.dsc

Hi Trent,

Trent Lloyd [2006-06-14 1:12 -0000]:
> Thanks martin, haven't appeared yet but I will test them out when I do

I attached the source package now, since the mirror problem is still
not fixed.

> What was the problem?

My stupidity :/, the connection argument for mysql_real_escape() was
wrong. Sorry for the mess.

Trent Lloyd (lathiat) wrote :

Hehe, brown-paper-bag for pitti :)

This fixes the problem for me! Cheers.

Martin Pitt (pitti) wrote :

Fixed version is in the archive now, http://www.ubuntu.com/usn/usn-288-4

Changed in dovecot:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers