Add fix for CVE-2015-3420.

Bump PKGREVISION.

3 files changed, 59 insertions, 3 deletions

diff --git a/mail/dovecot2/Makefile b/mail/dovecot2/Makefile
index c768a531110..cc07a5aafe7 100644
--- a/mail/dovecot2/Makefile
+++ b/mail/dovecot2/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.74 2015/04/23 09:27:31 jperkin Exp $
+# $NetBSD: Makefile,v 1.75 2015/05/10 07:33:49 taca Exp $
 #
 # when updating to a new release, update ABI depends in
 # the buildlink3.mk file as well, since the plugins' version
 # must match (see PR 49563).
 
 DISTNAME=	dovecot-2.2.16
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	mail
 MASTER_SITES=	http://www.dovecot.org/releases/${PKGVERSION_NOREV:R}/
 
diff --git a/mail/dovecot2/distinfo b/mail/dovecot2/distinfo
index 5fb91acd4ab..2bf37411e83 100644
--- a/mail/dovecot2/distinfo
+++ b/mail/dovecot2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.53 2015/03/15 09:19:23 tron Exp $
+$NetBSD: distinfo,v 1.54 2015/05/10 07:33:49 taca Exp $
 
 SHA1 (dovecot-2.2.16.tar.gz) = 7b267ee939b790ee42809efebc96d6ae78a49432
 RMD160 (dovecot-2.2.16.tar.gz) = 79768b2077137d255a3cfbc492de6d979e594e31
@@ -7,4 +7,5 @@ SHA1 (patch-aa) = ea185011f0c1ee3aa1ff528e61f6f356fe385666
 SHA1 (patch-ab) = d637a64feec8e4eafacda149cf0193aa1b70a054
 SHA1 (patch-ae) = 51d8cb998cc2ded8bfc767710e465b752c50e656
 SHA1 (patch-af) = c066e94dd6593d16eec3e66f5f4d26f021918498
+SHA1 (patch-src_login-common_ssl-proxy-openssl.c) = ae2929851b36a0ac230cbad602851d6d021f0e71
 SHA1 (patch-src_stats_mail-stats.h) = 90645c2aab956a0119630da4b71905db704bffda
diff --git a/mail/dovecot2/patches/patch-src_login-common_ssl-proxy-openssl.c b/mail/dovecot2/patches/patch-src_login-common_ssl-proxy-openssl.c
new file mode 100644
index 00000000000..c779981365f
--- /dev/null
+++ b/mail/dovecot2/patches/patch-src_login-common_ssl-proxy-openssl.c
@@ -0,0 +1,55 @@
+$NetBSD: patch-src_login-common_ssl-proxy-openssl.c,v 1.1 2015/05/10 07:33:49 taca Exp $
+
+* Fix CVE-2015-3420 from revision 86f535375750 of dovecot-2.2.
+
+--- src/login-common/ssl-proxy-openssl.c.orig	2015-01-29 16:01:15.000000000 +0000
++++ src/login-common/ssl-proxy-openssl.c
+@@ -80,6 +80,7 @@ struct ssl_proxy {
+ 	unsigned int cert_broken:1;
+ 	unsigned int client_proxy:1;
+ 	unsigned int flushing:1;
++	unsigned int failed:1;
+ };
+ 
+ struct ssl_parameters {
+@@ -131,6 +132,12 @@ static void ssl_proxy_ctx_set_crypto_par
+ static int ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set);
+ #endif
+ 
++static void ssl_proxy_destroy_failed(struct ssl_proxy *proxy)
++{
++	proxy->failed = TRUE;
++	ssl_proxy_destroy(proxy);
++}
++
+ static unsigned int ssl_server_context_hash(const struct ssl_server_context *ctx)
+ {
+ 	unsigned int i, g, h = 0;
+@@ -462,7 +469,7 @@ static void ssl_handle_error(struct ssl_
+ 
+ 	if (errstr != NULL) {
+ 		proxy->last_error = i_strdup(errstr);
+-		ssl_proxy_destroy(proxy);
++		ssl_proxy_destroy_failed(proxy);
+ 	}
+ 	ssl_proxy_unref(proxy);
+ }
+@@ -492,7 +499,7 @@ static void ssl_handshake(struct ssl_pro
+ 
+ 	if (proxy->handshake_callback != NULL) {
+ 		if (proxy->handshake_callback(proxy->handshake_context) < 0)
+-			ssl_proxy_destroy(proxy);
++			ssl_proxy_destroy_failed(proxy);
+ 	}
+ }
+ 
+@@ -822,7 +829,8 @@ void ssl_proxy_destroy(struct ssl_proxy 
+ 	if (proxy->destroyed || proxy->flushing)
+ 		return;
+ 	proxy->flushing = TRUE;
+-	ssl_proxy_flush(proxy);
++	if (!proxy->failed && proxy->handshaked)
++		ssl_proxy_flush(proxy);
+ 	proxy->destroyed = TRUE;
+ 
+ 	ssl_proxy_count--;