* Re: [oe] [meta-networking][whinlatter][PATCH 1/2] dovecot: patch CVE-2025-59031
[not found] <18A3DA03CDF37206.657799@lists.openembedded.org>
@ 2026-04-06 19:11 ` Gyorgy Sarvari
2026-04-06 22:20 ` Ankur Tyagi
0 siblings, 1 reply; 2+ messages in thread
From: Gyorgy Sarvari @ 2026-04-06 19:11 UTC (permalink / raw)
To: openembedded-devel
This patch is kinda heavy handed - it removes a feature that was
considered terminally vulnerable.
Alternatively we can also just live with this in the stable branches,
with a note or something in the recipe.
Though CVE scores are pretty random, fwiw this one rolled 4.3.
On 4/6/26 21:06, Gyorgy Sarvari via lists.openembedded.org wrote:
> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59031
>
> Backport the patch that was identified[1] by Debian.
>
> [1]: https://security-tracker.debian.org/tracker/CVE-2025-59031
>
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> ---
> .../dovecot/dovecot/CVE-2025-59031.patch | 142 ++++++++++++++++++
> .../dovecot/dovecot_2.4.1-4.bb | 1 +
> 2 files changed, 143 insertions(+)
> create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
>
> diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> new file mode 100644
> index 0000000000..6f13502422
> --- /dev/null
> +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> @@ -0,0 +1,142 @@
> +From aac45a278d95afeec8c702b5b4966ea0a96e5ad6 Mon Sep 17 00:00:00 2001
> +From: Aki Tuomi <aki.tuomi@open-xchange.com>
> +Date: Thu, 8 Jan 2026 08:51:59 +0200
> +Subject: [PATCH] fts: Remove decode2text.sh
> +
> +The script is flawed and not fit for production use, should
> +recommend writing your own script, or using Apache Tika.
> +
> +CVE: CVE-2025-59031
> +Upstream-Status: Backport [https://github.com/dovecot/core/commit/36a95e7fa6b913db6c03a15862628b06be66eb3e]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/plugins/fts/Makefile.am | 3 -
> + src/plugins/fts/decode2text.sh | 105 ---------------------------------
> + 2 files changed, 108 deletions(-)
> + delete mode 100755 src/plugins/fts/decode2text.sh
> +
> +diff --git a/src/plugins/fts/Makefile.am b/src/plugins/fts/Makefile.am
> +index ae57d8f..4485cf4 100644
> +--- a/src/plugins/fts/Makefile.am
> ++++ b/src/plugins/fts/Makefile.am
> +@@ -65,9 +65,6 @@ xml2text_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
> + xml2text_LDADD = $(LIBDOVECOT) $(BINARY_LDFLAGS)
> + xml2text_DEPENDENCIES = $(module_LTLIBRARIES) $(LIBDOVECOT_DEPS)
> +
> +-pkglibexec_SCRIPTS = decode2text.sh
> +-EXTRA_DIST = $(pkglibexec_SCRIPTS)
> +-
> + doveadm_module_LTLIBRARIES = \
> + lib20_doveadm_fts_plugin.la
> +
> +diff --git a/src/plugins/fts/decode2text.sh b/src/plugins/fts/decode2text.sh
> +deleted file mode 100755
> +index 151fb7c..0000000
> +--- a/src/plugins/fts/decode2text.sh
> ++++ /dev/null
> +@@ -1,105 +0,0 @@
> +-#!/bin/sh
> +-
> +-# Example attachment decoder script. The attachment comes from stdin, and
> +-# the script is expected to output UTF-8 data to stdout. (If the output isn't
> +-# UTF-8, everything except valid UTF-8 sequences are dropped from it.)
> +-
> +-# The attachment decoding is enabled by setting:
> +-#
> +-# plugin {
> +-# fts_decoder = decode2text
> +-# }
> +-# service decode2text {
> +-# executable = script /usr/local/libexec/dovecot/decode2text.sh
> +-# user = dovecot
> +-# unix_listener decode2text {
> +-# mode = 0666
> +-# }
> +-# }
> +-
> +-libexec_dir=`dirname $0`
> +-content_type=$1
> +-
> +-# The second parameter is the format's filename extension, which is used when
> +-# found from a filename of application/octet-stream. You can also add more
> +-# extensions by giving more parameters.
> +-formats='application/pdf pdf
> +-application/x-pdf pdf
> +-application/msword doc
> +-application/mspowerpoint ppt
> +-application/vnd.ms-powerpoint ppt
> +-application/ms-excel xls
> +-application/x-msexcel xls
> +-application/vnd.ms-excel xls
> +-application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
> +-application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
> +-application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
> +-application/vnd.oasis.opendocument.text odt
> +-application/vnd.oasis.opendocument.spreadsheet ods
> +-application/vnd.oasis.opendocument.presentation odp
> +-'
> +-
> +-if [ "$content_type" = "" ]; then
> +- echo "$formats"
> +- exit 0
> +-fi
> +-
> +-fmt=`echo "$formats" | grep -w "^$content_type" | cut -d ' ' -f 2`
> +-if [ "$fmt" = "" ]; then
> +- echo "Content-Type: $content_type not supported" >&2
> +- exit 1
> +-fi
> +-
> +-# most decoders can't handle stdin directly, so write the attachment
> +-# to a temp file
> +-path=`mktemp`
> +-trap "rm -f $path" 0 1 2 3 14 15
> +-cat > $path
> +-
> +-xmlunzip() {
> +- name=$1
> +-
> +- tempdir=`mktemp -d`
> +- if [ "$tempdir" = "" ]; then
> +- exit 1
> +- fi
> +- trap "rm -rf $path $tempdir" 0 1 2 3 14 15
> +- cd $tempdir || exit 1
> +- unzip -q "$path" 2>/dev/null || exit 0
> +- find . -name "$name" -print0 | xargs -0 cat |
> +- $libexec_dir/xml2text
> +-}
> +-
> +-wait_timeout() {
> +- childpid=$!
> +- trap "kill -9 $childpid; rm -f $path" 1 2 3 14 15
> +- wait $childpid
> +-}
> +-
> +-LANG=en_US.UTF-8
> +-export LANG
> +-if [ $fmt = "pdf" ]; then
> +- /usr/bin/pdftotext $path - 2>/dev/null&
> +- wait_timeout 2>/dev/null
> +-elif [ $fmt = "doc" ]; then
> +- (/usr/bin/catdoc $path; true) 2>/dev/null&
> +- wait_timeout 2>/dev/null
> +-elif [ $fmt = "ppt" ]; then
> +- (/usr/bin/catppt $path; true) 2>/dev/null&
> +- wait_timeout 2>/dev/null
> +-elif [ $fmt = "xls" ]; then
> +- (/usr/bin/xls2csv $path; true) 2>/dev/null&
> +- wait_timeout 2>/dev/null
> +-elif [ $fmt = "odt" -o $fmt = "ods" -o $fmt = "odp" ]; then
> +- xmlunzip "content.xml"
> +-elif [ $fmt = "docx" ]; then
> +- xmlunzip "document.xml"
> +-elif [ $fmt = "xlsx" ]; then
> +- xmlunzip "sharedStrings.xml"
> +-elif [ $fmt = "pptx" ]; then
> +- xmlunzip "slide*.xml"
> +-else
> +- echo "Buggy decoder script: $fmt not handled" >&2
> +- exit 1
> +-fi
> +-exit 0
> diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> index 09583f1694..769e693c5a 100644
> --- a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> +++ b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> @@ -22,6 +22,7 @@ SRC_URI = "http://dovecot.org/releases/2.4/dovecot-${PV}.tar.gz \
> file://CVE-2025-30189-5.patch \
> file://CVE-2025-30189-6.patch \
> file://CVE-2025-30189-7.patch \
> + file://CVE-2025-59031.patch \
> "
> SRC_URI[sha256sum] = "fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00"
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#126062): https://lists.openembedded.org/g/openembedded-devel/message/126062
> Mute This Topic: https://lists.openembedded.org/mt/118695942/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [oe] [meta-networking][whinlatter][PATCH 1/2] dovecot: patch CVE-2025-59031
2026-04-06 19:11 ` [oe] [meta-networking][whinlatter][PATCH 1/2] dovecot: patch CVE-2025-59031 Gyorgy Sarvari
@ 2026-04-06 22:20 ` Ankur Tyagi
0 siblings, 0 replies; 2+ messages in thread
From: Ankur Tyagi @ 2026-04-06 22:20 UTC (permalink / raw)
To: skandigraun; +Cc: openembedded-devel
On Tue, Apr 7, 2026 at 7:11 AM Gyorgy Sarvari via
lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
wrote:
>
> This patch is kinda heavy handed - it removes a feature that was
> considered terminally vulnerable.
> Alternatively we can also just live with this in the stable branches,
> with a note or something in the recipe.
> Though CVE scores are pretty random, fwiw this one rolled 4.3.
>
I agree and the users can decide whether to use this script or not.
At least the patch is not going to cause a regression in the stable
branch recipe.
cheers
Ankur
> On 4/6/26 21:06, Gyorgy Sarvari via lists.openembedded.org wrote:
> > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59031
> >
> > Backport the patch that was identified[1] by Debian.
> >
> > [1]: https://security-tracker.debian.org/tracker/CVE-2025-59031
> >
> > Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> > ---
> > .../dovecot/dovecot/CVE-2025-59031.patch | 142 ++++++++++++++++++
> > .../dovecot/dovecot_2.4.1-4.bb | 1 +
> > 2 files changed, 143 insertions(+)
> > create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> >
> > diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> > new file mode 100644
> > index 0000000000..6f13502422
> > --- /dev/null
> > +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-59031.patch
> > @@ -0,0 +1,142 @@
> > +From aac45a278d95afeec8c702b5b4966ea0a96e5ad6 Mon Sep 17 00:00:00 2001
> > +From: Aki Tuomi <aki.tuomi@open-xchange.com>
> > +Date: Thu, 8 Jan 2026 08:51:59 +0200
> > +Subject: [PATCH] fts: Remove decode2text.sh
> > +
> > +The script is flawed and not fit for production use, should
> > +recommend writing your own script, or using Apache Tika.
> > +
> > +CVE: CVE-2025-59031
> > +Upstream-Status: Backport [https://github.com/dovecot/core/commit/36a95e7fa6b913db6c03a15862628b06be66eb3e]
> > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> > +---
> > + src/plugins/fts/Makefile.am | 3 -
> > + src/plugins/fts/decode2text.sh | 105 ---------------------------------
> > + 2 files changed, 108 deletions(-)
> > + delete mode 100755 src/plugins/fts/decode2text.sh
> > +
> > +diff --git a/src/plugins/fts/Makefile.am b/src/plugins/fts/Makefile.am
> > +index ae57d8f..4485cf4 100644
> > +--- a/src/plugins/fts/Makefile.am
> > ++++ b/src/plugins/fts/Makefile.am
> > +@@ -65,9 +65,6 @@ xml2text_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
> > + xml2text_LDADD = $(LIBDOVECOT) $(BINARY_LDFLAGS)
> > + xml2text_DEPENDENCIES = $(module_LTLIBRARIES) $(LIBDOVECOT_DEPS)
> > +
> > +-pkglibexec_SCRIPTS = decode2text.sh
> > +-EXTRA_DIST = $(pkglibexec_SCRIPTS)
> > +-
> > + doveadm_module_LTLIBRARIES = \
> > + lib20_doveadm_fts_plugin.la
> > +
> > +diff --git a/src/plugins/fts/decode2text.sh b/src/plugins/fts/decode2text.sh
> > +deleted file mode 100755
> > +index 151fb7c..0000000
> > +--- a/src/plugins/fts/decode2text.sh
> > ++++ /dev/null
> > +@@ -1,105 +0,0 @@
> > +-#!/bin/sh
> > +-
> > +-# Example attachment decoder script. The attachment comes from stdin, and
> > +-# the script is expected to output UTF-8 data to stdout. (If the output isn't
> > +-# UTF-8, everything except valid UTF-8 sequences are dropped from it.)
> > +-
> > +-# The attachment decoding is enabled by setting:
> > +-#
> > +-# plugin {
> > +-# fts_decoder = decode2text
> > +-# }
> > +-# service decode2text {
> > +-# executable = script /usr/local/libexec/dovecot/decode2text.sh
> > +-# user = dovecot
> > +-# unix_listener decode2text {
> > +-# mode = 0666
> > +-# }
> > +-# }
> > +-
> > +-libexec_dir=`dirname $0`
> > +-content_type=$1
> > +-
> > +-# The second parameter is the format's filename extension, which is used when
> > +-# found from a filename of application/octet-stream. You can also add more
> > +-# extensions by giving more parameters.
> > +-formats='application/pdf pdf
> > +-application/x-pdf pdf
> > +-application/msword doc
> > +-application/mspowerpoint ppt
> > +-application/vnd.ms-powerpoint ppt
> > +-application/ms-excel xls
> > +-application/x-msexcel xls
> > +-application/vnd.ms-excel xls
> > +-application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
> > +-application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
> > +-application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
> > +-application/vnd.oasis.opendocument.text odt
> > +-application/vnd.oasis.opendocument.spreadsheet ods
> > +-application/vnd.oasis.opendocument.presentation odp
> > +-'
> > +-
> > +-if [ "$content_type" = "" ]; then
> > +- echo "$formats"
> > +- exit 0
> > +-fi
> > +-
> > +-fmt=`echo "$formats" | grep -w "^$content_type" | cut -d ' ' -f 2`
> > +-if [ "$fmt" = "" ]; then
> > +- echo "Content-Type: $content_type not supported" >&2
> > +- exit 1
> > +-fi
> > +-
> > +-# most decoders can't handle stdin directly, so write the attachment
> > +-# to a temp file
> > +-path=`mktemp`
> > +-trap "rm -f $path" 0 1 2 3 14 15
> > +-cat > $path
> > +-
> > +-xmlunzip() {
> > +- name=$1
> > +-
> > +- tempdir=`mktemp -d`
> > +- if [ "$tempdir" = "" ]; then
> > +- exit 1
> > +- fi
> > +- trap "rm -rf $path $tempdir" 0 1 2 3 14 15
> > +- cd $tempdir || exit 1
> > +- unzip -q "$path" 2>/dev/null || exit 0
> > +- find . -name "$name" -print0 | xargs -0 cat |
> > +- $libexec_dir/xml2text
> > +-}
> > +-
> > +-wait_timeout() {
> > +- childpid=$!
> > +- trap "kill -9 $childpid; rm -f $path" 1 2 3 14 15
> > +- wait $childpid
> > +-}
> > +-
> > +-LANG=en_US.UTF-8
> > +-export LANG
> > +-if [ $fmt = "pdf" ]; then
> > +- /usr/bin/pdftotext $path - 2>/dev/null&
> > +- wait_timeout 2>/dev/null
> > +-elif [ $fmt = "doc" ]; then
> > +- (/usr/bin/catdoc $path; true) 2>/dev/null&
> > +- wait_timeout 2>/dev/null
> > +-elif [ $fmt = "ppt" ]; then
> > +- (/usr/bin/catppt $path; true) 2>/dev/null&
> > +- wait_timeout 2>/dev/null
> > +-elif [ $fmt = "xls" ]; then
> > +- (/usr/bin/xls2csv $path; true) 2>/dev/null&
> > +- wait_timeout 2>/dev/null
> > +-elif [ $fmt = "odt" -o $fmt = "ods" -o $fmt = "odp" ]; then
> > +- xmlunzip "content.xml"
> > +-elif [ $fmt = "docx" ]; then
> > +- xmlunzip "document.xml"
> > +-elif [ $fmt = "xlsx" ]; then
> > +- xmlunzip "sharedStrings.xml"
> > +-elif [ $fmt = "pptx" ]; then
> > +- xmlunzip "slide*.xml"
> > +-else
> > +- echo "Buggy decoder script: $fmt not handled" >&2
> > +- exit 1
> > +-fi
> > +-exit 0
> > diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> > index 09583f1694..769e693c5a 100644
> > --- a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> > +++ b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb
> > @@ -22,6 +22,7 @@ SRC_URI = "http://dovecot.org/releases/2.4/dovecot-${PV}.tar.gz \
> > file://CVE-2025-30189-5.patch \
> > file://CVE-2025-30189-6.patch \
> > file://CVE-2025-30189-7.patch \
> > + file://CVE-2025-59031.patch \
> > "
> > SRC_URI[sha256sum] = "fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00"
> >
> >
> >
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#126064): https://lists.openembedded.org/g/openembedded-devel/message/126064
> Mute This Topic: https://lists.openembedded.org/mt/118695942/3619737
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ankur.tyagi85@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-06 22:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <18A3DA03CDF37206.657799@lists.openembedded.org>
2026-04-06 19:11 ` [oe] [meta-networking][whinlatter][PATCH 1/2] dovecot: patch CVE-2025-59031 Gyorgy Sarvari
2026-04-06 22:20 ` Ankur Tyagi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox