Re: [oe] [meta-networking][whinlatter][PATCH 1/2] dovecot: patch CVE-2025-59031

[Gyorgy Sarvari <skandigraun@gmail.com>]

This patch is kinda heavy handed - it removes a feature that was
considered terminally vulnerable.
Alternatively we can also just live with this in the stable branches,
with a note or something in the recipe.
Though CVE scores are pretty random, fwiw this one rolled 4.3.

On 4/6/26 21:06, Gyorgy Sarvari via lists.openembedded.org wrote:
> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59031
> 
> Backport the patch that was identified[1] by Debian.
> 
> [1]: https://security-tracker.debian.org/tracker/CVE-2025-59031
> 
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> ---
>  .../dovecot/dovecot/CVE-2025-59031.patch      | 142 ++++++++++++++++++
>  .../dovecot/dovecot_2.4.1-4.bb                |   1 +
>  2 files changed, 143 insertions(+)
>  create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> 
> diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> new file mode 100644
> index 0000000000..6f13502422
> --- /dev/null
> +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> @@ -0,0 +1,142 @@
> +From aac45a278d95afeec8c702b5b4966ea0a96e5ad6 Mon Sep 17 00:00:00 2001
> +From: Aki Tuomi <aki.tuomi@open-xchange.com>
> +Date: Thu, 8 Jan 2026 08:51:59 +0200
> +Subject: [PATCH] fts: Remove decode2text.sh
> +
> +The script is flawed and not fit for production use, should
> +recommend writing your own script, or using Apache Tika.
> +
> +CVE: CVE-2025-59031
> +Upstream-Status: Backport [https://github.com/dovecot/core/commit/36a95e7fa6b913db6c03a15862628b06be66eb3e]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/plugins/fts/Makefile.am    |   3 -
> + src/plugins/fts/decode2text.sh | 105 ---------------------------------
> + 2 files changed, 108 deletions(-)
> + delete mode 100755 src/plugins/fts/decode2text.sh
> +
> +diff --git a/src/plugins/fts/Makefile.am b/src/plugins/fts/Makefile.am
> +index ae57d8f..4485cf4 100644
> +--- a/src/plugins/fts/Makefile.am
> ++++ b/src/plugins/fts/Makefile.am
> +@@ -65,9 +65,6 @@ xml2text_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
> + xml2text_LDADD = $(LIBDOVECOT) $(BINARY_LDFLAGS)
> + xml2text_DEPENDENCIES = $(module_LTLIBRARIES) $(LIBDOVECOT_DEPS)
> + 
> +-pkglibexec_SCRIPTS = decode2text.sh
> +-EXTRA_DIST = $(pkglibexec_SCRIPTS)
> +-
> + doveadm_module_LTLIBRARIES = \
> + 	lib20_doveadm_fts_plugin.la
> + 
> +diff --git a/src/plugins/fts/decode2text.sh b/src/plugins/fts/decode2text.sh
> +deleted file mode 100755
> +index 151fb7c..0000000
> +--- a/src/plugins/fts/decode2text.sh
> ++++ /dev/null
> +@@ -1,105 +0,0 @@
> +-#!/bin/sh
> +-
> +-# Example attachment decoder script. The attachment comes from stdin, and
> +-# the script is expected to output UTF-8 data to stdout. (If the output isn't
> +-# UTF-8, everything except valid UTF-8 sequences are dropped from it.)
> +-
> +-# The attachment decoding is enabled by setting:
> +-#
> +-# plugin {
> +-#   fts_decoder = decode2text
> +-# }
> +-# service decode2text {
> +-#   executable = script /usr/local/libexec/dovecot/decode2text.sh
> +-#   user = dovecot
> +-#   unix_listener decode2text {
> +-#     mode = 0666
> +-#   }
> +-# }
> +-
> +-libexec_dir=`dirname $0`
> +-content_type=$1
> +-
> +-# The second parameter is the format's filename extension, which is used when
> +-# found from a filename of application/octet-stream. You can also add more
> +-# extensions by giving more parameters.
> +-formats='application/pdf pdf
> +-application/x-pdf pdf
> +-application/msword doc
> +-application/mspowerpoint ppt
> +-application/vnd.ms-powerpoint ppt
> +-application/ms-excel xls
> +-application/x-msexcel xls
> +-application/vnd.ms-excel xls
> +-application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
> +-application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
> +-application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
> +-application/vnd.oasis.opendocument.text odt
> +-application/vnd.oasis.opendocument.spreadsheet ods
> +-application/vnd.oasis.opendocument.presentation odp
> +-'
> +-
> +-if [ "$content_type" = "" ]; then
> +-  echo "$formats"
> +-  exit 0
> +-fi
> +-
> +-fmt=`echo "$formats" | grep -w "^$content_type" | cut -d ' ' -f 2`
> +-if [ "$fmt" = "" ]; then
> +-  echo "Content-Type: $content_type not supported" >&2
> +-  exit 1
> +-fi
> +-
> +-# most decoders can't handle stdin directly, so write the attachment
> +-# to a temp file
> +-path=`mktemp`
> +-trap "rm -f $path" 0 1 2 3 14 15
> +-cat > $path
> +-
> +-xmlunzip() {
> +-  name=$1
> +-
> +-  tempdir=`mktemp -d`
> +-  if [ "$tempdir" = "" ]; then
> +-    exit 1
> +-  fi
> +-  trap "rm -rf $path $tempdir" 0 1 2 3 14 15
> +-  cd $tempdir || exit 1
> +-  unzip -q "$path" 2>/dev/null || exit 0
> +-  find . -name "$name" -print0 | xargs -0 cat |
> +-    $libexec_dir/xml2text
> +-}
> +-
> +-wait_timeout() {
> +-  childpid=$!
> +-  trap "kill -9 $childpid; rm -f $path" 1 2 3 14 15
> +-  wait $childpid
> +-}
> +-
> +-LANG=en_US.UTF-8
> +-export LANG
> +-if [ $fmt = "pdf" ]; then
> +-  /usr/bin/pdftotext $path - 2>/dev/null&
> +-  wait_timeout 2>/dev/null
> +-elif [ $fmt = "doc" ]; then
> +-  (/usr/bin/catdoc $path; true) 2>/dev/null&
> +-  wait_timeout 2>/dev/null
> +-elif [ $fmt = "ppt" ]; then
> +-  (/usr/bin/catppt $path; true) 2>/dev/null&
> +-  wait_timeout 2>/dev/null
> +-elif [ $fmt = "xls" ]; then
> +-  (/usr/bin/xls2csv $path; true) 2>/dev/null&
> +-  wait_timeout 2>/dev/null
> +-elif [ $fmt = "odt" -o $fmt = "ods" -o $fmt = "odp" ]; then
> +-  xmlunzip "content.xml"
> +-elif [ $fmt = "docx" ]; then
> +-  xmlunzip "document.xml"
> +-elif [ $fmt = "xlsx" ]; then
> +-  xmlunzip "sharedStrings.xml"
> +-elif [ $fmt = "pptx" ]; then
> +-  xmlunzip "slide*.xml"
> +-else
> +-  echo "Buggy decoder script: $fmt not handled" >&2
> +-  exit 1
> +-fi
> +-exit 0
> diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> index 09583f1694..769e693c5a 100644
> --- a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> +++ b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> @@ -22,6 +22,7 @@ SRC_URI = "http://dovecot.org/releases/2.4/dovecot-${PV}.tar.gz \
>             file://CVE-2025-30189-5.patch \
>             file://CVE-2025-30189-6.patch \
>             file://CVE-2025-30189-7.patch \
> +           file://CVE-2025-59031.patch \
>             "
>  SRC_URI[sha256sum] = "fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00"
>  
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#126062): https://lists.openembedded.org/g/openembedded-devel/message/126062
> Mute This Topic: https://lists.openembedded.org/mt/118695942/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>