dovecot: patch CVE-2025-59031

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59031 Backport the patch that was identified[1] by Debian. [1]: https://security-tracker.debian.org/tracker/CVE-2025-59031 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-04-06 21:06:23 +02:00
parent b35ad41144
commit 47ec93ee07
2 changed files with 143 additions and 0 deletions
@@ -0,0 +1,142 @@
+From aac45a278d95afeec8c702b5b4966ea0a96e5ad6 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Thu, 8 Jan 2026 08:51:59 +0200
+Subject: [PATCH] fts: Remove decode2text.sh
+
+The script is flawed and not fit for production use, should
+recommend writing your own script, or using Apache Tika.
+
+CVE: CVE-2025-59031
+Upstream-Status: Backport [https://github.com/dovecot/core/commit/36a95e7fa6b913db6c03a15862628b06be66eb3e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/plugins/fts/Makefile.am    |   3 -
+ src/plugins/fts/decode2text.sh | 105 ---------------------------------
+ 2 files changed, 108 deletions(-)
+ delete mode 100755 src/plugins/fts/decode2text.sh
+
+diff --git a/src/plugins/fts/Makefile.am b/src/plugins/fts/Makefile.am
+index ae57d8f..4485cf4 100644
+--- a/src/plugins/fts/Makefile.am
+++ b/src/plugins/fts/Makefile.am
+@@ -65,9 +65,6 @@ xml2text_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
+ xml2text_LDADD = $(LIBDOVECOT) $(BINARY_LDFLAGS)
+ xml2text_DEPENDENCIES = $(module_LTLIBRARIES) $(LIBDOVECOT_DEPS)
+ 
+-pkglibexec_SCRIPTS = decode2text.sh
+-EXTRA_DIST = $(pkglibexec_SCRIPTS)
+-
+ doveadm_module_LTLIBRARIES = \
+ 	lib20_doveadm_fts_plugin.la
+ 
+diff --git a/src/plugins/fts/decode2text.sh b/src/plugins/fts/decode2text.sh
+deleted file mode 100755
+index 151fb7c..0000000
+--- a/src/plugins/fts/decode2text.sh
+++ /dev/null
+@@ -1,105 +0,0 @@
+-#!/bin/sh
+-
+-# Example attachment decoder script. The attachment comes from stdin, and
+-# the script is expected to output UTF-8 data to stdout. (If the output isn't
+-# UTF-8, everything except valid UTF-8 sequences are dropped from it.)
+-
+-# The attachment decoding is enabled by setting:
+-#
+-# plugin {
+-#   fts_decoder = decode2text
+-# }
+-# service decode2text {
+-#   executable = script /usr/local/libexec/dovecot/decode2text.sh
+-#   user = dovecot
+-#   unix_listener decode2text {
+-#     mode = 0666
+-#   }
+-# }
+-
+-libexec_dir=`dirname $0`
+-content_type=$1
+-
+-# The second parameter is the format's filename extension, which is used when
+-# found from a filename of application/octet-stream. You can also add more
+-# extensions by giving more parameters.
+-formats='application/pdf pdf
+-application/x-pdf pdf
+-application/msword doc
+-application/mspowerpoint ppt
+-application/vnd.ms-powerpoint ppt
+-application/ms-excel xls
+-application/x-msexcel xls
+-application/vnd.ms-excel xls
+-application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
+-application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
+-application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
+-application/vnd.oasis.opendocument.text odt
+-application/vnd.oasis.opendocument.spreadsheet ods
+-application/vnd.oasis.opendocument.presentation odp
+-'
+-
+-if [ "$content_type" = "" ]; then
+-  echo "$formats"
+-  exit 0
+-fi
+-
+-fmt=`echo "$formats" | grep -w "^$content_type" | cut -d ' ' -f 2`
+-if [ "$fmt" = "" ]; then
+-  echo "Content-Type: $content_type not supported" >&2
+-  exit 1
+-fi
+-
+-# most decoders can't handle stdin directly, so write the attachment
+-# to a temp file
+-path=`mktemp`
+-trap "rm -f $path" 0 1 2 3 14 15
+-cat > $path
+-
+-xmlunzip() {
+-  name=$1
+-
+-  tempdir=`mktemp -d`
+-  if [ "$tempdir" = "" ]; then
+-    exit 1
+-  fi
+-  trap "rm -rf $path $tempdir" 0 1 2 3 14 15
+-  cd $tempdir || exit 1
+-  unzip -q "$path" 2>/dev/null || exit 0
+-  find . -name "$name" -print0 | xargs -0 cat |
+-    $libexec_dir/xml2text
+-}
+-
+-wait_timeout() {
+-  childpid=$!
+-  trap "kill -9 $childpid; rm -f $path" 1 2 3 14 15
+-  wait $childpid
+-}
+-
+-LANG=en_US.UTF-8
+-export LANG
+-if [ $fmt = "pdf" ]; then
+-  /usr/bin/pdftotext $path - 2>/dev/null&
+-  wait_timeout 2>/dev/null
+-elif [ $fmt = "doc" ]; then
+-  (/usr/bin/catdoc $path; true) 2>/dev/null&
+-  wait_timeout 2>/dev/null
+-elif [ $fmt = "ppt" ]; then
+-  (/usr/bin/catppt $path; true) 2>/dev/null&
+-  wait_timeout 2>/dev/null
+-elif [ $fmt = "xls" ]; then
+-  (/usr/bin/xls2csv $path; true) 2>/dev/null&
+-  wait_timeout 2>/dev/null
+-elif [ $fmt = "odt" -o $fmt = "ods" -o $fmt = "odp" ]; then
+-  xmlunzip "content.xml"
+-elif [ $fmt = "docx" ]; then
+-  xmlunzip "document.xml"
+-elif [ $fmt = "xlsx" ]; then
+-  xmlunzip "sharedStrings.xml"
+-elif [ $fmt = "pptx" ]; then
+-  xmlunzip "slide*.xml"
+-else
+-  echo "Buggy decoder script: $fmt not handled" >&2
+-  exit 1
+-fi
+-exit 0
@@ -22,6 +22,7 @@ SRC_URI = "http://dovecot.org/releases/2.4/dovecot-${PV}.tar.gz \
           file://CVE-2025-30189-5.patch \
           file://CVE-2025-30189-6.patch \
           file://CVE-2025-30189-7.patch \
+           file://CVE-2025-59031.patch \
           "
 SRC_URI[sha256sum] = "fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00"