diff -Nru dovecot-2.3.7.2/debian/changelog dovecot-2.3.7.2/debian/changelog
--- dovecot-2.3.7.2/debian/changelog	2020-03-03 20:32:32.000000000 +0000
+++ dovecot-2.3.7.2/debian/changelog	2020-05-13 13:29:10.000000000 +0000
@@ -1,3 +1,14 @@
+dovecot (1:2.3.7.2-1ubuntu3.1) focal-security; urgency=medium
+
+  * SECURITY UPDATE: Multiple security issues
+    - debian/patches/CVE-2020-109xx/*.patch: add patches provided by
+      upstream to fix issues.
+    - CVE-2020-10957
+    - CVE-2020-10958
+    - CVE-2020-10967
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 13 May 2020 09:29:10 -0400
+
 dovecot (1:2.3.7.2-1ubuntu3) focal; urgency=medium
 
   * No-change rebuild for icu soname change.
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0001-lib-smtp-smtp-server-cmd-vrfy-Restructure-parameter-.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0001-lib-smtp-smtp-server-cmd-vrfy-Restructure-parameter-.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0001-lib-smtp-smtp-server-cmd-vrfy-Restructure-parameter-.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0001-lib-smtp-smtp-server-cmd-vrfy-Restructure-parameter-.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,40 @@
+From 7009e157185323475939cfae9f9049e07eb84c03 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 21:05:17 +0100
+Subject: [PATCH 01/15] lib-smtp: smtp-server-cmd-vrfy - Restructure parameter
+ parsing.
+
+---
+ src/lib-smtp/smtp-server-cmd-vrfy.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-server-cmd-vrfy.c b/src/lib-smtp/smtp-server-cmd-vrfy.c
+index 56019d7e25..6d6537b4f0 100644
+--- a/src/lib-smtp/smtp-server-cmd-vrfy.c
++++ b/src/lib-smtp/smtp-server-cmd-vrfy.c
+@@ -17,15 +17,13 @@ void smtp_server_cmd_vrfy(struct smtp_server_cmd_ctx *cmd,
+ 	int ret;
+ 
+ 	/* vrfy = "VRFY" SP String CRLF */
+-	if ((ret=smtp_string_parse(params, &param, &error)) <= 0) {
+-		if (ret < 0) {
+-			smtp_server_reply(cmd,
+-				501, "5.5.4",
+-				"Invalid string parameter: %s", error);
+-		} else {
+-			smtp_server_reply(cmd,
+-				501, "5.5.4", "Invalid parameters");
+-		}
++	ret = smtp_string_parse(params, &param, &error);
++	if (ret < 0) {
++		smtp_server_reply(cmd, 501, "5.5.4",
++				  "Invalid string parameter: %s", error);
++		return;
++	} else if (ret == 0) {
++		smtp_server_reply(cmd, 501, "5.5.4", "Invalid parameters");
+ 		return;
+ 	}
+ 
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0002-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0002-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0002-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0002-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,63 @@
+From 3317dcfa558a8c72e5f7a527cc2e5f6a876b0848 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 20:57:03 +0100
+Subject: [PATCH 02/15] lib-smtp: smtp-syntax - Do not allow NULL return
+ parameters for smtp_string_parse().
+
+---
+ src/lib-smtp/smtp-server-cmd-noop.c | 8 ++++++--
+ src/lib-smtp/smtp-syntax.c          | 9 +++++----
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-server-cmd-noop.c b/src/lib-smtp/smtp-server-cmd-noop.c
+index 4986f800c8..550d709eab 100644
+--- a/src/lib-smtp/smtp-server-cmd-noop.c
++++ b/src/lib-smtp/smtp-server-cmd-noop.c
+@@ -13,11 +13,15 @@ void smtp_server_cmd_noop(struct smtp_server_cmd_ctx *cmd,
+ 	struct smtp_server_connection *conn = cmd->conn;
+ 	struct smtp_server_command *command = cmd->cmd;
+ 	const struct smtp_server_callbacks *callbacks = conn->callbacks;
++	const char *param, *error;
+ 	int ret;
+ 
+ 	/* "NOOP" [ SP String ] CRLF */
+-	if (*params != '\0' && smtp_string_parse(params, NULL, NULL) < 0) {
+-		smtp_server_reply(cmd, 501, "5.5.4", "Invalid parameters");
++	ret = smtp_string_parse(params, &param, &error);
++	if (ret < 0) {
++		smtp_server_reply(cmd, 501, "5.5.4",
++				  "Invalid string parameter: %s",
++				  error);
+ 		return;
+ 	}
+ 
+diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
+index 5d22445f72..6826682af1 100644
+--- a/src/lib-smtp/smtp-syntax.c
++++ b/src/lib-smtp/smtp-syntax.c
+@@ -17,7 +17,9 @@ int smtp_string_parse(const char *string,
+ 	const char **value_r, const char **error_r)
+ {
+ 	struct smtp_parser parser;
+-	int ret;
++
++	*value_r = NULL;
++	*error_r = NULL;
+ 
+ 	if (string == NULL || *string == '\0') {
+ 		*value_r = "";
+@@ -26,9 +28,8 @@ int smtp_string_parse(const char *string,
+ 
+ 	smtp_parser_init(&parser, pool_datastack_create(), string);
+ 
+-	if ((ret=smtp_parser_parse_string(&parser, value_r)) < 0) {
+-		if (error_r != NULL)
+-			*error_r = parser.error;
++	if (smtp_parser_parse_string(&parser, value_r) < 0) {
++		*error_r = parser.error;
+ 		return -1;
+ 	}
+ 	if (parser.cur < parser.end) {
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0003-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0003-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0003-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0003-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,54 @@
+From ba7edb87805573a12363a5343be7a1885f3d050b Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 21:11:01 +0100
+Subject: [PATCH 03/15] lib-smtp: smtp-syntax - Do not allow NULL return
+ parameters for smtp_xtext_parse().
+
+---
+ src/lib-smtp/smtp-syntax.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
+index 6826682af1..0b0a91ce07 100644
+--- a/src/lib-smtp/smtp-syntax.c
++++ b/src/lib-smtp/smtp-syntax.c
+@@ -86,20 +86,20 @@ int smtp_xtext_parse(const char *xtext,
+ {
+ 	struct smtp_parser parser;
+ 	string_t *value = NULL;
+-	int ret;
++
++	*value_r = NULL;
++	*error_r = NULL;
+ 
+ 	if (xtext == NULL || *xtext == '\0') {
+ 		*value_r = "";
+ 		return 1;
+ 	}
+ 
+-	if (value_r != NULL)
+-		value = t_str_new(256);
++	value = t_str_new(256);
+ 	smtp_parser_init(&parser, pool_datastack_create(), xtext);
+ 
+-	if ((ret=smtp_parser_parse_xtext(&parser, value)) < 0) {
+-		if (error_r != NULL)
+-			*error_r = parser.error;
++	if (smtp_parser_parse_xtext(&parser, value) < 0) {
++		*error_r = parser.error;
+ 		return -1;
+ 	}
+ 	if (parser.cur < parser.end) {
+@@ -110,8 +110,7 @@ int smtp_xtext_parse(const char *xtext,
+ 	if (value_r != NULL) {
+ 		*value_r = str_c(value);
+ 		if (strlen(*value_r) != str_len(value)) {
+-			if (*error_r != NULL)
+-				*error_r = "Encountered NUL character in xtext";
++			*error_r = "Encountered NUL character in xtext";
+ 			return -1;
+ 		}
+ 	}
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0004-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0004-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0004-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0004-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,99 @@
+From 2eb230c645144f51fbe5de0693e0e0f107cdad2e Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 21:14:34 +0100
+Subject: [PATCH 04/15] lib-smtp: smtp-syntax - Do not allow NULL return
+ parameters for smtp_ehlo_line_parse().
+
+---
+ src/lib-smtp/smtp-syntax.c | 39 +++++++++++++++++----------------------
+ 1 file changed, 17 insertions(+), 22 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
+index 0b0a91ce07..5cca6c40fd 100644
+--- a/src/lib-smtp/smtp-syntax.c
++++ b/src/lib-smtp/smtp-syntax.c
+@@ -249,12 +249,10 @@ static int smtp_parse_ehlo_line(struct smtp_parser *parser,
+ 		(i_isalnum(*parser->cur) || *parser->cur == '-'))
+ 		parser->cur++;
+ 
+-	if (key_r != NULL)
+-		*key_r = p_strdup_until(parser->pool, pbegin, parser->cur);
++	*key_r = p_strdup_until(parser->pool, pbegin, parser->cur);
+ 
+ 	if (parser->cur >= parser->end) {
+-		if (params_r != NULL)
+-			*params_r = p_new(parser->pool, const char *, 1);
++		*params_r = p_new(parser->pool, const char *, 1);
+ 		return 1;
+ 	}
+ 	if (*parser->cur != ' ') {
+@@ -264,18 +262,16 @@ static int smtp_parse_ehlo_line(struct smtp_parser *parser,
+ 	parser->cur++;
+ 
+ 	pbegin = parser->cur;
+-	if (params_r != NULL)
+-		p_array_init(&params, parser->pool, 32);
++	p_array_init(&params, parser->pool, 32);
+ 	while (parser->cur < parser->end) {
+ 		if (*parser->cur == ' ') {
+ 			if (parser->cur+1 >= parser->end || *(parser->cur+1) == ' ') {
+ 				parser->error = "Missing EHLO parameter after ' '";
+ 				return -1;
+ 			}
+-			if (params_r != NULL) {
+-				param = p_strdup_until(parser->pool, pbegin, parser->cur);
+-				array_push_back(&params, &param);
+-			}
++			param = p_strdup_until(parser->pool, pbegin,
++					       parser->cur);
++			array_push_back(&params, &param);
+ 			pbegin = parser->cur + 1;
+ 		} else if (!smtp_char_is_ehlo_param(*parser->cur)) {
+ 			parser->error = "Unexpected character in EHLO parameter";
+@@ -284,12 +280,10 @@ static int smtp_parse_ehlo_line(struct smtp_parser *parser,
+ 		parser->cur++;
+ 	}
+ 
+-	if (params_r != NULL) {
+-		param = p_strdup_until(parser->pool, pbegin, parser->cur);
+-		array_push_back(&params, &param);
+-		array_append_zero(&params);
+-		*params_r = array_front(&params);
+-	}
++	param = p_strdup_until(parser->pool, pbegin, parser->cur);
++	array_push_back(&params, &param);
++	array_append_zero(&params);
++	*params_r = array_front(&params);
+ 	return 1;
+ }
+ 
+@@ -297,19 +291,20 @@ int smtp_ehlo_line_parse(const char *ehlo_line, const char **key_r,
+ 	const char *const **params_r, const char **error_r)
+ {
+ 	struct smtp_parser parser;
+-	int ret;
++
++	*key_r = NULL;
++	*params_r = NULL;
++	*error_r = NULL;
+ 
+ 	if (ehlo_line == NULL || *ehlo_line == '\0') {
+-		if (error_r != NULL)
+-			*error_r = "Parameter is empty";
++		*error_r = "Parameter is empty";
+ 		return -1;
+ 	}
+ 
+ 	smtp_parser_init(&parser, pool_datastack_create(), ehlo_line);
+ 
+-	if ((ret=smtp_parse_ehlo_line(&parser, key_r, params_r)) <= 0) {
+-		if (error_r != NULL)
+-			*error_r = parser.error;
++	if (smtp_parse_ehlo_line(&parser, key_r, params_r) <= 0) {
++		*error_r = parser.error;
+ 		return -1;
+ 	}
+ 	return 1;
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0005-lib-smtp-smtp-syntax-Return-0-for-smtp_string_parse-.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0005-lib-smtp-smtp-syntax-Return-0-for-smtp_string_parse-.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0005-lib-smtp-smtp-syntax-Return-0-for-smtp_string_parse-.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0005-lib-smtp-smtp-syntax-Return-0-for-smtp_string_parse-.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,27 @@
+From da2b6b350a76be96545b38376d03e9e7370b55ed Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 22:42:15 +0100
+Subject: [PATCH 05/15] lib-smtp: smtp-syntax - Return 0 for
+ smtp_string_parse() with empty input.
+
+This is what the current users of this function actually expect.
+---
+ src/lib-smtp/smtp-syntax.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
+index 5cca6c40fd..cf86f87336 100644
+--- a/src/lib-smtp/smtp-syntax.c
++++ b/src/lib-smtp/smtp-syntax.c
+@@ -23,7 +23,7 @@ int smtp_string_parse(const char *string,
+ 
+ 	if (string == NULL || *string == '\0') {
+ 		*value_r = "";
+-		return 1;
++		return 0;
+ 	}
+ 
+ 	smtp_parser_init(&parser, pool_datastack_create(), string);
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0006-lib-smtp-Add-tests-for-smtp_string_parse-and-smtp_st.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0006-lib-smtp-Add-tests-for-smtp_string_parse-and-smtp_st.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0006-lib-smtp-Add-tests-for-smtp_string_parse-and-smtp_st.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0006-lib-smtp-Add-tests-for-smtp_string_parse-and-smtp_st.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,194 @@
+From 34c15cfdac8656dec2ecab3d20c6942520a4900d Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 22:24:20 +0100
+Subject: [PATCH 06/15] lib-smtp: Add tests for smtp_string_parse() and
+ smtp_string_write().
+
+---
+ src/lib-smtp/Makefile.am        |   5 ++
+ src/lib-smtp/test-smtp-syntax.c | 150 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 155 insertions(+)
+ create mode 100644 src/lib-smtp/test-smtp-syntax.c
+
+diff --git a/src/lib-smtp/Makefile.am b/src/lib-smtp/Makefile.am
+index b03761df8b..d87cd4e6d3 100644
+--- a/src/lib-smtp/Makefile.am
++++ b/src/lib-smtp/Makefile.am
+@@ -72,6 +72,7 @@ pkginc_libdir=$(pkgincludedir)
+ pkginc_lib_HEADERS = $(headers)
+ 
+ test_programs = \
++	test-smtp-syntax \
+ 	test-smtp-address \
+ 	test-smtp-params \
+ 	test-smtp-reply \
+@@ -121,6 +122,10 @@ if BUILD_OPENSSL
+ test_libs_ssl += ../lib-ssl-iostream/libssl_iostream_openssl.la
+ endif
+ 
++test_smtp_syntax_SOURCES = test-smtp-syntax.c
++test_smtp_syntax_LDADD = $(test_libs)
++test_smtp_syntax_DEPENDENCIES = $(test_deps)
++
+ test_smtp_address_SOURCES = test-smtp-address.c
+ test_smtp_address_LDFLAGS = -export-dynamic
+ test_smtp_address_LDADD = $(test_libs)
+diff --git a/src/lib-smtp/test-smtp-syntax.c b/src/lib-smtp/test-smtp-syntax.c
+new file mode 100644
+index 0000000000..735cd01220
+--- /dev/null
++++ b/src/lib-smtp/test-smtp-syntax.c
+@@ -0,0 +1,150 @@
++/* Copyright (c) 2020 Dovecot authors, see the included COPYING file */
++
++#include "lib.h"
++#include "str.h"
++#include "str-sanitize.h"
++#include "test-common.h"
++#include "smtp-syntax.h"
++
++/*
++ * Valid string parse tests
++ */
++
++struct valid_string_parse_test {
++	const char *input, *parsed, *output;
++};
++
++static const struct valid_string_parse_test
++valid_string_parse_tests[] = {
++	{
++		.input = "",
++		.parsed = "",
++	},
++	{
++		.input = "atom",
++		.parsed = "atom",
++	},
++	{
++		.input = "abcdefghijklmnopqrstuvwxyz"
++			 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
++			 "0123456789!#$%&'*+-/=?^_`{|}~",
++		.parsed = "abcdefghijklmnopqrstuvwxyz"
++			  "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
++			  "0123456789!#$%&'*+-/=?^_`{|}~",
++	},
++	{
++		.input = "\"quoted-string\"",
++		.parsed = "quoted-string",
++		.output = "quoted-string",
++	},
++	{
++		.input = "\"quoted \\\"string\\\"\"",
++		.parsed = "quoted \"string\"",
++	},
++	{
++		.input = "\"quoted \\\\string\\\\\"",
++		.parsed = "quoted \\string\\",
++	},
++};
++
++static const unsigned int valid_string_parse_test_count =
++	N_ELEMENTS(valid_string_parse_tests);
++
++static void test_smtp_string_parse_valid(void)
++{
++	unsigned int i;
++
++	for (i = 0; i < valid_string_parse_test_count; i++) T_BEGIN {
++		const struct valid_string_parse_test *test =
++			&valid_string_parse_tests[i];
++		const char *parsed, *error = NULL;
++		int ret;
++
++		ret = smtp_string_parse(test->input, &parsed, &error);
++
++		test_begin(t_strdup_printf("smtp string valid [%d]", i));
++		test_out_reason(t_strdup_printf("parse(\"%s\")", test->input),
++				ret >= 0, error);
++		test_assert(ret != 0 || *test->input == '\0');
++
++		if (!test_has_failed()) {
++			string_t *encoded;
++			const char *output;
++
++			test_out(t_strdup_printf("parsed = \"%s\"", parsed),
++				 null_strcmp(parsed, test->parsed) == 0);
++
++			encoded = t_str_new(255);
++			smtp_string_write(encoded, parsed);
++			output = (test->output == NULL ?
++				  test->input : test->output);
++			test_out(t_strdup_printf("write() = \"%s\"",
++						 str_c(encoded)),
++				 strcmp(str_c(encoded), output) == 0);
++		}
++		test_end();
++	} T_END;
++}
++
++/*
++ * Invalid string parse tests
++ */
++
++struct invalid_string_parse_test {
++	const char *input;
++};
++
++static const struct invalid_string_parse_test
++invalid_string_parse_tests[] = {
++	{
++		.input = " ",
++	},
++	{
++		.input = "\\",
++	},
++	{
++		.input = "\"",
++	},
++	{
++		.input = "\"aa",
++	},
++	{
++		.input = "aa\"",
++	},
++};
++
++static const unsigned int invalid_string_parse_test_count =
++	N_ELEMENTS(invalid_string_parse_tests);
++
++static void test_smtp_string_parse_invalid(void)
++{
++	unsigned int i;
++
++	for (i = 0; i < invalid_string_parse_test_count; i++) T_BEGIN {
++		const struct invalid_string_parse_test *test =
++			&invalid_string_parse_tests[i];
++		const char *parsed, *error;
++		int ret;
++
++		ret = smtp_string_parse(test->input, &parsed, &error);
++
++		test_begin(t_strdup_printf("smtp string invalid [%d]", i));
++		test_out_reason(t_strdup_printf("parse(\"%s\")", test->input),
++				ret < 0, error);
++		test_end();
++	} T_END;
++}
++
++/*
++ * Tests
++ */
++
++int main(void)
++{
++	static void (*test_functions[])(void) = {
++		test_smtp_string_parse_valid,
++		test_smtp_string_parse_invalid,
++		NULL
++	};
++	return test_run(test_functions);
++}
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0007-lib-smtp-test-smtp-server-errors-Add-tests-for-VRFY-.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0007-lib-smtp-test-smtp-server-errors-Add-tests-for-VRFY-.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0007-lib-smtp-test-smtp-server-errors-Add-tests-for-VRFY-.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0007-lib-smtp-test-smtp-server-errors-Add-tests-for-VRFY-.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,343 @@
+From 3376015cd7e1f27650d0133647ccbc4c246b148f Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 22:33:45 +0100
+Subject: [PATCH 07/15] lib-smtp: test-smtp-server-errors - Add tests for VRFY
+ and NOOP commands with invalid parameters.
+
+---
+ src/lib-smtp/test-smtp-server-errors.c | 312 +++++++++++++++++++++++++++++++++
+ 1 file changed, 312 insertions(+)
+
+diff --git a/src/lib-smtp/test-smtp-server-errors.c b/src/lib-smtp/test-smtp-server-errors.c
+index 0870dbbae5..230a5b8d4f 100644
+--- a/src/lib-smtp/test-smtp-server-errors.c
++++ b/src/lib-smtp/test-smtp-server-errors.c
+@@ -1273,6 +1273,316 @@ static void test_bad_rcpt(void)
+ }
+ 
+ /*
++ * Bad VRFY
++ */
++
++/* client */
++
++struct _bad_vrfy_client {
++	struct smtp_reply_parser *parser;
++	unsigned int reply;
++
++	bool replied:1;
++};
++
++static void
++test_bad_vrfy_client_input(struct client_connection *conn)
++{
++	struct _bad_vrfy_client *ctx = conn->context;
++	struct smtp_reply *reply;
++	const char *error;
++	int ret;
++
++	while ((ret = smtp_reply_parse_next(ctx->parser, FALSE,
++					    &reply, &error)) > 0) {
++		if (debug)
++			i_debug("REPLY: %s", smtp_reply_log(reply));
++
++		switch (ctx->reply++) {
++		case 0: /* greeting */
++			i_assert(reply->status == 220);
++			break;
++		case 1: /* bad command reply */
++			switch (client_index) {
++			case 0: case 1: case 2:
++				i_assert(reply->status == 501);
++				break;
++			case 3:
++				i_assert(smtp_reply_is_success(reply));
++				break;
++			default:
++				i_unreached();
++			}
++			ctx->replied = TRUE;
++			io_loop_stop(ioloop);
++			connection_disconnect(&conn->conn);
++			return;
++		default:
++			i_unreached();
++		}
++	}
++
++	i_assert(ret == 0);
++}
++
++static void
++test_bad_vrfy_client_connected(struct client_connection *conn)
++{
++	struct _bad_vrfy_client *ctx;
++
++	ctx = p_new(conn->pool, struct _bad_vrfy_client, 1);
++	ctx->parser = smtp_reply_parser_init(conn->conn.input, (size_t)-1);
++	conn->context = ctx;
++
++	switch (client_index) {
++	case 0:
++		o_stream_nsend_str(conn->conn.output,
++				   "VRFY\r\n");
++		break;
++	case 1:
++		o_stream_nsend_str(conn->conn.output,
++				   "VRFY \"hendrik\r\n");
++		break;
++	case 2:
++		o_stream_nsend_str(conn->conn.output,
++				   "VRFY hen\"drik\r\n");
++		break;
++	case 3:
++		o_stream_nsend_str(conn->conn.output,
++				   "VRFY \"hendrik\"\r\n");
++		break;
++	default:
++		i_unreached();
++	}
++}
++
++static void
++test_bad_vrfy_client_deinit(struct client_connection *conn)
++{
++	struct _bad_vrfy_client *ctx = conn->context;
++
++	i_assert(ctx->replied);
++	smtp_reply_parser_deinit(&ctx->parser);
++}
++
++static void test_client_bad_vrfy(unsigned int index)
++{
++	test_client_input = test_bad_vrfy_client_input;
++	test_client_connected = test_bad_vrfy_client_connected;
++	test_client_deinit = test_bad_vrfy_client_deinit;
++	test_client_run(index);
++}
++
++/* server */
++
++static void
++test_server_bad_vrfy_disconnect(void *context ATTR_UNUSED, const char *reason)
++{
++	if (debug)
++		i_debug("Disconnect: %s", reason);
++}
++
++static int
++test_server_bad_vrfy_rcpt(void *conn_ctx ATTR_UNUSED,
++			  struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++			  struct smtp_server_recipient *rcpt ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static int
++test_server_bad_vrfy_data_begin(
++	void *conn_ctx ATTR_UNUSED, struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++	struct smtp_server_transaction *trans ATTR_UNUSED,
++	struct istream *data_input ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static void
++test_server_bad_vrfy(const struct smtp_server_settings *server_set)
++{
++	server_callbacks.conn_disconnect = test_server_bad_vrfy_disconnect;
++
++	server_callbacks.conn_cmd_rcpt = test_server_bad_vrfy_rcpt;
++	server_callbacks.conn_cmd_data_begin = test_server_bad_vrfy_data_begin;
++	test_server_run(server_set);
++}
++
++/* test */
++
++static void test_bad_vrfy(void)
++{
++	struct smtp_server_settings smtp_server_set;
++
++	test_server_defaults(&smtp_server_set);
++	smtp_server_set.max_client_idle_time_msecs = 1000;
++
++	test_begin("bad VRFY");
++	test_run_client_server(&smtp_server_set,
++			       test_server_bad_vrfy,
++			       test_client_bad_vrfy, 4);
++	test_end();
++}
++
++/*
++ * Bad NOOP
++ */
++
++/* client */
++
++struct _bad_noop_client {
++	struct smtp_reply_parser *parser;
++	unsigned int reply;
++
++	bool replied:1;
++};
++
++static void
++test_bad_noop_client_input(struct client_connection *conn)
++{
++	struct _bad_noop_client *ctx = conn->context;
++	struct smtp_reply *reply;
++	const char *error;
++	int ret;
++
++	while ((ret = smtp_reply_parse_next(ctx->parser, FALSE,
++					    &reply, &error)) > 0) {
++		if (debug)
++			i_debug("REPLY: %s", smtp_reply_log(reply));
++
++		switch (ctx->reply++) {
++		case 0: /* greeting */
++			i_assert(reply->status == 220);
++			break;
++		case 1: /* bad command reply */
++			switch (client_index) {
++			case 1: case 2:
++				i_assert(reply->status == 501);
++				break;
++			case 0: case 3:
++				i_assert(smtp_reply_is_success(reply));
++				break;
++			default:
++				i_unreached();
++			}
++			ctx->replied = TRUE;
++			io_loop_stop(ioloop);
++			connection_disconnect(&conn->conn);
++			return;
++		default:
++			i_unreached();
++		}
++	}
++
++	i_assert(ret == 0);
++}
++
++static void
++test_bad_noop_client_connected(struct client_connection *conn)
++{
++	struct _bad_noop_client *ctx;
++
++	ctx = p_new(conn->pool, struct _bad_noop_client, 1);
++	ctx->parser = smtp_reply_parser_init(conn->conn.input, (size_t)-1);
++	conn->context = ctx;
++
++	switch (client_index) {
++	case 0:
++		o_stream_nsend_str(conn->conn.output,
++				   "NOOP\r\n");
++		break;
++	case 1:
++		o_stream_nsend_str(conn->conn.output,
++				   "NOOP \"frop\r\n");
++		break;
++	case 2:
++		o_stream_nsend_str(conn->conn.output,
++				   "NOOP fr\"op\r\n");
++		break;
++	case 3:
++		o_stream_nsend_str(conn->conn.output,
++				   "NOOP \"frop\"\r\n");
++		break;
++	default:
++		i_unreached();
++	}
++}
++
++static void
++test_bad_noop_client_deinit(struct client_connection *conn)
++{
++	struct _bad_noop_client *ctx = conn->context;
++
++	i_assert(ctx->replied);
++	smtp_reply_parser_deinit(&ctx->parser);
++}
++
++static void test_client_bad_noop(unsigned int index)
++{
++	test_client_input = test_bad_noop_client_input;
++	test_client_connected = test_bad_noop_client_connected;
++	test_client_deinit = test_bad_noop_client_deinit;
++	test_client_run(index);
++}
++
++/* server */
++
++static void
++test_server_bad_noop_disconnect(void *context ATTR_UNUSED, const char *reason)
++{
++	if (debug)
++		i_debug("Disconnect: %s", reason);
++}
++
++static int
++test_server_bad_noop_rcpt(void *conn_ctx ATTR_UNUSED,
++			  struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++			  struct smtp_server_recipient *rcpt ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static int
++test_server_bad_noop_data_begin(
++	void *conn_ctx ATTR_UNUSED, struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++	struct smtp_server_transaction *trans ATTR_UNUSED,
++	struct istream *data_input ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static void
++test_server_bad_noop(const struct smtp_server_settings *server_set)
++{
++	server_callbacks.conn_disconnect = test_server_bad_noop_disconnect;
++
++	server_callbacks.conn_cmd_rcpt = test_server_bad_noop_rcpt;
++	server_callbacks.conn_cmd_data_begin = test_server_bad_noop_data_begin;
++	test_server_run(server_set);
++}
++
++/* test */
++
++static void test_bad_noop(void)
++{
++	struct smtp_server_settings smtp_server_set;
++
++	test_server_defaults(&smtp_server_set);
++	smtp_server_set.max_client_idle_time_msecs = 1000;
++
++	test_begin("bad NOOP");
++	test_run_client_server(&smtp_server_set,
++			       test_server_bad_noop,
++			       test_client_bad_noop, 4);
++	test_end();
++}
++
++/*
+  * MAIL workarounds
+  */
+ 
+@@ -2027,6 +2337,8 @@ static void (*const test_functions[])(void) = {
+ 	test_bad_ehlo,
+ 	test_bad_mail,
+ 	test_bad_rcpt,
++	test_bad_vrfy,
++	test_bad_noop,
+ 	test_mail_workarounds,
+ 	test_rcpt_workarounds,
+ 	test_too_many_recipients,
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0008-lib-smtp-smtp-server-command-Guarantee-that-non-dest.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0008-lib-smtp-smtp-server-command-Guarantee-that-non-dest.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0008-lib-smtp-smtp-server-command-Guarantee-that-non-dest.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0008-lib-smtp-smtp-server-command-Guarantee-that-non-dest.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,30 @@
+From f83a35b2f3c155f9c455e07dac4a5b9ff40c946e Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 12:13:43 +0100
+Subject: [PATCH 08/15] lib-smtp: smtp-server-command - Guarantee that
+ non-destroy hooks aren't called for an ended command.
+
+---
+ src/lib-smtp/smtp-server-command.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib-smtp/smtp-server-command.c b/src/lib-smtp/smtp-server-command.c
+index 79fbe12631..5be4540ca5 100644
+--- a/src/lib-smtp/smtp-server-command.c
++++ b/src/lib-smtp/smtp-server-command.c
+@@ -388,8 +388,11 @@ bool smtp_server_command_call_hooks(struct smtp_server_command **_cmd,
+ 	struct smtp_server_command *cmd = *_cmd;
+ 	struct smtp_server_command_hook *hook;
+ 
+-	if (type != SMTP_SERVER_COMMAND_HOOK_DESTROY)
++	if (type != SMTP_SERVER_COMMAND_HOOK_DESTROY) {
++		if (cmd->state >= SMTP_SERVER_COMMAND_STATE_FINISHED)
++			return FALSE;
+ 		smtp_server_command_ref(cmd);
++	}
+ 
+ 	hook = cmd->hooks_head;
+ 	while (hook != NULL) {
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0009-lib-smtp-smtp-server-command-Assign-cmd-reg-immediat.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0009-lib-smtp-smtp-server-command-Assign-cmd-reg-immediat.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0009-lib-smtp-smtp-server-command-Assign-cmd-reg-immediat.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0009-lib-smtp-smtp-server-command-Assign-cmd-reg-immediat.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,71 @@
+From 10e74e44400285b77e22d385dde6af8c335d19e3 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 17 Mar 2020 11:58:52 +0100
+Subject: [PATCH 09/15] lib-smtp: smtp-server-command - Assign cmd->reg
+ immediately.
+
+---
+ src/lib-smtp/smtp-server-command.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-server-command.c b/src/lib-smtp/smtp-server-command.c
+index 5be4540ca5..6628c34464 100644
+--- a/src/lib-smtp/smtp-server-command.c
++++ b/src/lib-smtp/smtp-server-command.c
+@@ -182,11 +182,12 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 			const char *name, const char *params)
+ {
+ 	struct smtp_server *server = conn->server;
+-	const struct smtp_server_command_reg *cmd_reg;
+ 	struct smtp_server_command *cmd;
+ 
+ 	cmd = smtp_server_command_alloc(conn);
+ 	cmd->context.name = p_strdup(cmd->context.pool, name);
++	cmd->reg = smtp_server_command_find(server, name);
++
+ 	smtp_server_command_update_event(cmd);
+ 
+ 	struct event_passthrough *e =
+@@ -194,7 +195,7 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 		set_name("smtp_server_command_started");
+ 	e_debug(e->event(), "New command");
+ 
+-	if ((cmd_reg=smtp_server_command_find(server, name)) == NULL) {
++	if (cmd->reg == NULL) {
+ 		/* RFC 5321, Section 4.2.4: Reply Code 502
+ 
+ 		   Questions have been raised as to when reply code 502 (Command
+@@ -207,7 +208,7 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 			500, "5.5.1", "Unknown command");
+ 
+ 	} else if (!conn->ssl_secured && conn->set.tls_required &&
+-		(cmd_reg->flags & SMTP_SERVER_CMD_FLAG_PRETLS) == 0) {
++		   (cmd->reg->flags & SMTP_SERVER_CMD_FLAG_PRETLS) == 0) {
+ 		/* RFC 3207, Section 4:
+ 
+ 		   A SMTP server that is not publicly referenced may choose to
+@@ -226,7 +227,7 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 			530, "5.7.0", "TLS required.");
+ 
+ 	} else if (!conn->authenticated && !conn->set.auth_optional &&
+-		(cmd_reg->flags & SMTP_SERVER_CMD_FLAG_PREAUTH) == 0) {
++		   (cmd->reg->flags & SMTP_SERVER_CMD_FLAG_PREAUTH) == 0) {
+ 		/* RFC 4954, Section 6: Status Codes
+ 
+ 		   530 5.7.0  Authentication required
+@@ -242,10 +243,9 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 	} else {
+ 		struct smtp_server_command *tmp_cmd = cmd;
+ 
+-		i_assert(cmd_reg->func != NULL);
++		i_assert(cmd->reg->func != NULL);
+ 		smtp_server_command_ref(tmp_cmd);
+-		tmp_cmd->reg = cmd_reg;
+-		cmd_reg->func(&tmp_cmd->context, params);
++		cmd->reg->func(&tmp_cmd->context, params);
+ 		if (tmp_cmd->state == SMTP_SERVER_COMMAND_STATE_NEW)
+ 			tmp_cmd->state = SMTP_SERVER_COMMAND_STATE_PROCESSING;
+ 		if (!smtp_server_command_unref(&tmp_cmd))
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0010-lib-smtp-smtp-server-command-Perform-initial-command.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0010-lib-smtp-smtp-server-command-Perform-initial-command.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0010-lib-smtp-smtp-server-command-Perform-initial-command.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0010-lib-smtp-smtp-server-command-Perform-initial-command.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,83 @@
+From 451f4611a30ce46bba93cc56dc3aa266281ecad2 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 12:23:32 +0100
+Subject: [PATCH 10/15] lib-smtp: smtp-server-command - Perform initial command
+ execution in separate function.
+
+---
+ src/lib-smtp/smtp-server-command.c    | 11 +++++++++--
+ src/lib-smtp/smtp-server-connection.c |  3 ++-
+ src/lib-smtp/smtp-server-private.h    |  7 +++++--
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-server-command.c b/src/lib-smtp/smtp-server-command.c
+index 6628c34464..34fd890301 100644
+--- a/src/lib-smtp/smtp-server-command.c
++++ b/src/lib-smtp/smtp-server-command.c
+@@ -179,7 +179,7 @@ smtp_server_command_new_invalid(struct smtp_server_connection *conn)
+ 
+ struct smtp_server_command *
+ smtp_server_command_new(struct smtp_server_connection *conn,
+-			const char *name, const char *params)
++			const char *name)
+ {
+ 	struct smtp_server *server = conn->server;
+ 	struct smtp_server_command *cmd;
+@@ -195,6 +195,14 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 		set_name("smtp_server_command_started");
+ 	e_debug(e->event(), "New command");
+ 
++	return cmd;
++}
++
++void smtp_server_command_execute(struct smtp_server_command *cmd,
++				 const char *params)
++{
++	struct smtp_server_connection *conn = cmd->context.conn;
++
+ 	if (cmd->reg == NULL) {
+ 		/* RFC 5321, Section 4.2.4: Reply Code 502
+ 
+@@ -251,7 +259,6 @@ smtp_server_command_new(struct smtp_server_connection *conn,
+ 		if (!smtp_server_command_unref(&tmp_cmd))
+ 			cmd = NULL;
+ 	}
+-	return cmd;
+ }
+ 
+ void smtp_server_command_ref(struct smtp_server_command *cmd)
+diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
+index 476f94ad7f..e3747a7fb2 100644
+--- a/src/lib-smtp/smtp-server-connection.c
++++ b/src/lib-smtp/smtp-server-connection.c
+@@ -295,7 +295,8 @@ smtp_server_connection_handle_command(struct smtp_server_connection *conn,
+ 	struct smtp_server_command *cmd;
+ 
+ 	smtp_server_connection_ref(tmp_conn);
+-	cmd = smtp_server_command_new(tmp_conn, cmd_name, cmd_params);
++	cmd = smtp_server_command_new(tmp_conn, cmd_name);
++	smtp_server_command_execute(cmd, cmd_params);
+ 	if (!smtp_server_connection_unref(&tmp_conn)) {
+ 		/* the command start callback managed to get this connection
+ 		   destroyed */
+diff --git a/src/lib-smtp/smtp-server-private.h b/src/lib-smtp/smtp-server-private.h
+index 9748b0042b..2d767f0498 100644
+--- a/src/lib-smtp/smtp-server-private.h
++++ b/src/lib-smtp/smtp-server-private.h
+@@ -241,8 +241,11 @@ void smtp_server_command_debug(struct smtp_server_cmd_ctx *cmd,
+ struct smtp_server_command *
+ smtp_server_command_new_invalid(struct smtp_server_connection *conn);
+ struct smtp_server_command *
+-smtp_server_command_new(struct smtp_server_connection *conn,
+-	const char *name, const char *params);
++smtp_server_command_new(struct smtp_server_connection *conn, const char *name);
++
++void smtp_server_command_execute(struct smtp_server_command *cmd,
++				 const char *params);
++
+ void smtp_server_command_ref(struct smtp_server_command *cmd);
+ bool smtp_server_command_unref(struct smtp_server_command **_cmd);
+ void smtp_server_command_abort(struct smtp_server_command **_cmd);
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,51 @@
+From 221e30ff27af6773616f5d5927968e03203e988f Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 12:25:03 +0100
+Subject: [PATCH 11/15] lib-smtp: smtp-server-connection - Hold a command
+ reference while executing a command.
+
+This fixes a use-after-free problem at the end of
+smtp_server_connection_handle_command().
+---
+ src/lib-smtp/smtp-server-connection.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
+index e3747a7fb2..0ab240d49f 100644
+--- a/src/lib-smtp/smtp-server-connection.c
++++ b/src/lib-smtp/smtp-server-connection.c
+@@ -293,21 +293,28 @@ smtp_server_connection_handle_command(struct smtp_server_connection *conn,
+ {
+ 	struct smtp_server_connection *tmp_conn = conn;
+ 	struct smtp_server_command *cmd;
++	bool finished;
+ 
+-	smtp_server_connection_ref(tmp_conn);
+ 	cmd = smtp_server_command_new(tmp_conn, cmd_name);
++
++	smtp_server_command_ref(cmd);
++
++	smtp_server_connection_ref(tmp_conn);
+ 	smtp_server_command_execute(cmd, cmd_params);
+ 	if (!smtp_server_connection_unref(&tmp_conn)) {
+ 		/* the command start callback managed to get this connection
+ 		   destroyed */
++		smtp_server_command_unref(&cmd);
+ 		return FALSE;
+ 	}
+ 
+-	if (cmd != NULL && conn->command_queue_head == cmd)
++	if (conn->command_queue_head == cmd)
+ 		(void)smtp_server_command_next_to_reply(&cmd);
+ 
+ 	smtp_server_connection_timeout_update(conn);
+-	return (cmd == NULL || !cmd->input_locked);
++
++	finished = !cmd->input_locked;
++	return (!smtp_server_command_unref(&cmd) || finished);
+ }
+ 
+ static int
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0012-lib-smtp-test-smtp-server-errors-Add-tests-for-large.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0012-lib-smtp-test-smtp-server-errors-Add-tests-for-large.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0012-lib-smtp-test-smtp-server-errors-Add-tests-for-large.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0012-lib-smtp-test-smtp-server-errors-Add-tests-for-large.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,200 @@
+From b98e9300043fbdd19f7370a9ce9724870484233e Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 24 Mar 2020 12:59:15 +0100
+Subject: [PATCH 12/15] lib-smtp: test-smtp-server-errors - Add tests for large
+ series of empty and bad commands.
+
+---
+ src/lib-smtp/test-smtp-server-errors.c | 169 +++++++++++++++++++++++++++++++++
+ 1 file changed, 169 insertions(+)
+
+diff --git a/src/lib-smtp/test-smtp-server-errors.c b/src/lib-smtp/test-smtp-server-errors.c
+index 230a5b8d4f..ae04e4cb12 100644
+--- a/src/lib-smtp/test-smtp-server-errors.c
++++ b/src/lib-smtp/test-smtp-server-errors.c
+@@ -573,6 +573,174 @@ static void test_bad_command(void)
+ }
+ 
+ /*
++ * Many bad commands
++ */
++
++/* client */
++
++struct _many_bad_commands_client {
++	struct smtp_reply_parser *parser;
++	unsigned int reply;
++	bool replied:1;
++};
++
++static void
++test_many_bad_commands_client_input(struct client_connection *conn)
++{
++	struct _many_bad_commands_client *ctx = conn->context;
++	struct smtp_reply *reply;
++	const char *error;
++	int ret;
++
++	while ((ret=smtp_reply_parse_next(ctx->parser, FALSE,
++					  &reply, &error)) > 0) {
++		if (debug)
++			i_debug("REPLY: %s", smtp_reply_log(reply));
++
++		switch (ctx->reply++) {
++		/* greeting */
++		case 0:
++			i_assert(reply->status == 220);
++			break;
++		/* bad command reply */
++		case 1: case 2: case 3: case 4: case 5:
++		case 6: case 7: case 8: case 9: case 10:
++			i_assert(reply->status == 500);
++			break;
++		case 11:
++			i_assert(reply->status == 421);
++			ctx->replied = TRUE;
++			io_loop_stop(ioloop);
++			connection_disconnect(&conn->conn);
++			return;
++		default:
++			i_unreached();
++		}
++	}
++
++	i_assert(ret >= 0);
++}
++
++static void
++test_many_bad_commands_client_connected(struct client_connection *conn)
++{
++	struct _many_bad_commands_client *ctx;
++
++	ctx = p_new(conn->pool, struct _many_bad_commands_client, 1);
++	ctx->parser = smtp_reply_parser_init(conn->conn.input, (size_t)-1);
++	conn->context = ctx;
++
++	switch (client_index) {
++	case 0:
++		o_stream_nsend_str(conn->conn.output,
++				   "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n");
++		break;
++	case 1:
++		o_stream_nsend_str(conn->conn.output,
++				   "a\r\nb\r\nc\r\nd\r\ne\r\nf\r\ng\r\nh\r\n"
++				   "i\r\nj\r\nk\r\nl\r\nm\r\nn\r\no\r\np\r\n");
++		break;
++	default:
++		i_unreached();
++	}
++}
++
++static void
++test_many_bad_commands_client_deinit(struct client_connection *conn)
++{
++	struct _many_bad_commands_client *ctx = conn->context;
++
++	i_assert(ctx->replied);
++	smtp_reply_parser_deinit(&ctx->parser);
++}
++
++static void test_client_many_bad_commands(unsigned int index)
++{
++	test_client_input = test_many_bad_commands_client_input;
++	test_client_connected = test_many_bad_commands_client_connected;
++	test_client_deinit = test_many_bad_commands_client_deinit;
++	test_client_run(index);
++}
++
++/* server */
++
++struct _many_bad_commands {
++	struct istream *payload_input;
++	struct io *io;
++
++	bool serviced:1;
++};
++
++static void
++test_server_many_bad_commands_disconnect(void *context ATTR_UNUSED,
++					   const char *reason)
++{
++	if (debug)
++		i_debug("Disconnect: %s", reason);
++	io_loop_stop(ioloop);
++}
++
++static int
++test_server_many_bad_commands_helo(
++	void *conn_ctx ATTR_UNUSED, struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++	struct smtp_server_cmd_helo *data ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static int
++test_server_many_bad_commands_rcpt(
++	void *conn_ctx ATTR_UNUSED, struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++	struct smtp_server_recipient *rcpt ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static int
++test_server_many_bad_commands_data_begin(
++	void *conn_ctx ATTR_UNUSED, struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
++	struct smtp_server_transaction *trans ATTR_UNUSED,
++	struct istream *data_input ATTR_UNUSED)
++{
++	test_assert(FALSE);
++	return 1;
++}
++
++static void test_server_many_bad_commands
++(const struct smtp_server_settings *server_set)
++{
++	server_callbacks.conn_disconnect =
++		test_server_many_bad_commands_disconnect;
++
++	server_callbacks.conn_cmd_helo =
++		test_server_many_bad_commands_helo;
++	server_callbacks.conn_cmd_rcpt =
++		test_server_many_bad_commands_rcpt;
++	server_callbacks.conn_cmd_data_begin =
++		test_server_many_bad_commands_data_begin;
++	test_server_run(server_set);
++}
++
++/* test */
++
++static void test_many_bad_commands(void)
++{
++	struct smtp_server_settings smtp_server_set;
++
++	test_server_defaults(&smtp_server_set);
++	smtp_server_set.max_client_idle_time_msecs = 1000;
++	smtp_server_set.max_bad_commands = 10;
++
++	test_begin("many bad commands");
++	test_run_client_server(&smtp_server_set,
++		test_server_many_bad_commands,
++		test_client_many_bad_commands, 2);
++	test_end();
++}
++
++/*
+  * Long command
+  */
+ 
+@@ -2332,6 +2500,7 @@ static void (*const test_functions[])(void) = {
+ 	test_slow_client,
+ 	test_hanging_command_payload,
+ 	test_bad_command,
++	test_many_bad_commands,
+ 	test_long_command,
+ 	test_big_data,
+ 	test_bad_ehlo,
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0013-lib-smtp-smtp-address-Don-t-return-NULL-from-smtp_ad.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0013-lib-smtp-smtp-address-Don-t-return-NULL-from-smtp_ad.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0013-lib-smtp-smtp-address-Don-t-return-NULL-from-smtp_ad.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0013-lib-smtp-smtp-address-Don-t-return-NULL-from-smtp_ad.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,64 @@
+From c4c91c531e2232d9bcae847bd5576736d44cde93 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Sun, 22 Mar 2020 18:14:44 +0100
+Subject: [PATCH 13/15] lib-smtp: smtp-address - Don't return NULL from
+ smtp_address_clone*() unless the input is NULL.
+
+---
+ src/lib-smtp/smtp-address.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-address.c b/src/lib-smtp/smtp-address.c
+index bb31d34a67..c55e1a432b 100644
+--- a/src/lib-smtp/smtp-address.c
++++ b/src/lib-smtp/smtp-address.c
+@@ -617,17 +617,19 @@ struct smtp_address *
+ smtp_address_clone(pool_t pool, const struct smtp_address *src)
+ {
+ 	struct smtp_address *new;
+-	size_t size, lpsize, dsize = 0;
+-	char *data, *localpart, *domain = NULL;
++	size_t size, lpsize = 0, dsize = 0;
++	char *data, *localpart = NULL, *domain = NULL;
+ 
+-	if (smtp_address_isnull(src))
++	if (src == NULL)
+ 		return NULL;
+ 
+ 	/* @UNSAFE */
+ 
+ 	size = sizeof(struct smtp_address);
+-	lpsize = strlen(src->localpart) + 1;
+-	size = MALLOC_ADD(size, lpsize);
++	if (!smtp_address_isnull(src)) {
++		lpsize = strlen(src->localpart) + 1;
++		size = MALLOC_ADD(size, lpsize);
++	}
+ 	if (src->domain != NULL) {
+ 		dsize = strlen(src->domain) + 1;
+ 		size = MALLOC_ADD(size, dsize);
+@@ -635,8 +637,10 @@ smtp_address_clone(pool_t pool, const struct smtp_address *src)
+ 
+ 	data = p_malloc(pool, size);
+ 	new = (struct smtp_address *)data;
+-	localpart = PTR_OFFSET(data, sizeof(*new));
+-	memcpy(localpart, src->localpart, lpsize);
++	if (lpsize > 0) {
++		localpart = PTR_OFFSET(data, sizeof(*new));
++		memcpy(localpart, src->localpart, lpsize);
++	}
+ 	if (dsize > 0) {
+ 		domain = PTR_OFFSET(data, sizeof(*new) + lpsize);
+ 		memcpy(domain, src->domain, dsize);
+@@ -677,7 +681,7 @@ smtp_address_clone_temp(const struct smtp_address *src)
+ {
+ 	struct smtp_address *new;
+ 
+-	if (smtp_address_isnull(src))
++	if (src == NULL)
+ 		return NULL;
+ 
+ 	new = t_new(struct smtp_address, 1);
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0014-lib-smtp-smtp-address-Don-t-recognize-an-address-wit.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0014-lib-smtp-smtp-address-Don-t-recognize-an-address-wit.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0014-lib-smtp-smtp-address-Don-t-recognize-an-address-wit.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0014-lib-smtp-smtp-address-Don-t-recognize-an-address-wit.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,29 @@
+From ef7d67e2185323080bfcf79362fdb238db3eddd5 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Fri, 20 Mar 2020 13:35:19 +0100
+Subject: [PATCH 14/15] lib-smtp: smtp-address - Don't recognize an address
+ with empty localpart as <>.
+
+Depending on context, the addresses <""@domain.tld> and <""> are potentially
+valid non-null addresses.
+---
+ src/lib-smtp/smtp-address.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/lib-smtp/smtp-address.h b/src/lib-smtp/smtp-address.h
+index 2556e4feab..6d8ccde52d 100644
+--- a/src/lib-smtp/smtp-address.h
++++ b/src/lib-smtp/smtp-address.h
+@@ -122,8 +122,7 @@ smtp_address_equals(const struct smtp_address *address1,
+ static inline bool ATTR_NULL(1) ATTR_PURE
+ smtp_address_isnull(const struct smtp_address *address)
+ {
+-	return (address == NULL || address->localpart == NULL ||
+-		*address->localpart == '\0');
++	return (address == NULL || address->localpart == NULL);
+ }
+ 
+ #endif
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0015-lmtp-lmtp-commands-Explicity-prohibit-empty-RCPT-pat.patch dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0015-lmtp-lmtp-commands-Explicity-prohibit-empty-RCPT-pat.patch
--- dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0015-lmtp-lmtp-commands-Explicity-prohibit-empty-RCPT-pat.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/CVE-2020-109xx/0015-lmtp-lmtp-commands-Explicity-prohibit-empty-RCPT-pat.patch	2020-05-13 13:28:03.000000000 +0000
@@ -0,0 +1,37 @@
+From 08f551b0e740d27bf766a3fd362ac3cb556fb0e4 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Fri, 20 Mar 2020 13:38:41 +0100
+Subject: [PATCH 15/15] lmtp: lmtp-commands - Explicity prohibit empty RCPT
+ path.
+
+The empty path <""> will yield an empty username.
+---
+ src/lmtp/lmtp-commands.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lmtp/lmtp-commands.c b/src/lmtp/lmtp-commands.c
+index f45bffd93b..568af520fa 100644
+--- a/src/lmtp/lmtp-commands.c
++++ b/src/lmtp/lmtp-commands.c
+@@ -66,10 +66,18 @@ int client_default_cmd_rcpt(struct client *client,
+ 	char delim = '\0';
+ 	int ret;
+ 
++	i_assert(!smtp_address_isnull(rcpt->path));
++	if (*rcpt->path->localpart == '\0' && rcpt->path->domain == NULL) {
++		smtp_server_reply(cmd, 550, "5.1.1", "<%s> "
++				  "Unacceptable TO: Empty path not allowed",
++				  smtp_address_encode(rcpt->path));
++		return -1;
++	}
+ 
+ 	smtp_address_detail_parse_temp(
+ 		client->unexpanded_lda_set->recipient_delimiter,
+ 		rcpt->path, &username, &delim, &detail);
++	i_assert(*username != '\0');
+ 
+ 	/* Make user name and detail available in the recipient event. The
+ 	   mail_user event (for local delivery) also adds the user field, but
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.7.2/debian/patches/series dovecot-2.3.7.2/debian/patches/series
--- dovecot-2.3.7.2/debian/patches/series	2019-11-14 02:50:44.000000000 +0000
+++ dovecot-2.3.7.2/debian/patches/series	2020-05-13 13:28:35.000000000 +0000
@@ -8,3 +8,18 @@
 dovecot_name.patch
 ssl-dh-params-location.patch
 debian-changes
+CVE-2020-109xx/0001-lib-smtp-smtp-server-cmd-vrfy-Restructure-parameter-.patch
+CVE-2020-109xx/0002-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch
+CVE-2020-109xx/0003-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch
+CVE-2020-109xx/0004-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch
+CVE-2020-109xx/0005-lib-smtp-smtp-syntax-Return-0-for-smtp_string_parse-.patch
+CVE-2020-109xx/0006-lib-smtp-Add-tests-for-smtp_string_parse-and-smtp_st.patch
+CVE-2020-109xx/0007-lib-smtp-test-smtp-server-errors-Add-tests-for-VRFY-.patch
+CVE-2020-109xx/0008-lib-smtp-smtp-server-command-Guarantee-that-non-dest.patch
+CVE-2020-109xx/0009-lib-smtp-smtp-server-command-Assign-cmd-reg-immediat.patch
+CVE-2020-109xx/0010-lib-smtp-smtp-server-command-Perform-initial-command.patch
+CVE-2020-109xx/0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch
+CVE-2020-109xx/0012-lib-smtp-test-smtp-server-errors-Add-tests-for-large.patch
+CVE-2020-109xx/0013-lib-smtp-smtp-address-Don-t-return-NULL-from-smtp_ad.patch
+CVE-2020-109xx/0014-lib-smtp-smtp-address-Don-t-recognize-an-address-wit.patch
+CVE-2020-109xx/0015-lmtp-lmtp-commands-Explicity-prohibit-empty-RCPT-pat.patch