Re: Upload request: chasquid 1.13-1
Hi,
On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote:
> Hi Alberto, hi Nilesh,
>
> On Sun, Jan 21, 2024 at 05:03:42PM +0000, Alberto Bertogli wrote:
> > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote:
> > > On Sun, Jan 21, 2024 at 03:37:11PM +0000, Alberto Bertogli wrote:
> > > > There are 3 patches in this release: patches 1 and 2 are minor (but
> > > > important) adjustments to tests, so that patch 3 that contains the fix can
> > > > be tested at all.
> > > >
> > > > Applying just patch 3 would be nominally "minimal", but also fail
> > > > tests.
> > > >
> > > > I would argue this is the minimal set of patches to fix the security
> > > > release.
> > > >
> > > > That said, of course that is subjective, other alternative patches could be
> > > > done instead; and I'm sure there's a lot of Debian-specific criteria,
> > > > history, and processes that can be applied to make these decisions, which I
> > > > lack.
> > > >
> > > > So I think at this point I rather leave this stable update to the Debian
> > > > experts (which I am definitely not :).
> > > >
> > > > The patches are there, and please if you have any questions I can help with
> > > > as upstream capacity, just let me know!
> > >
> > > As far as I understood and looked, there are just 3 patches in this update which
> > > seem to be needed to fix the SMTP smuggling vulnerability, right?
> >
> > That is correct.
> >
> > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on
> > top of 1.11:
> >
> > - Patch #1: test: Verify mailbox delivery in minor dialogs test
> > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04
> > - Patch #2: test: Make mail_diff more strict
> > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54
> > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents
> > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801
> >
> > Patches #1 and #2 change only tests and testing infrastructure, so that the
> > patch #3 (which fixes the security vulnerability) can have tests to confirm
> > it works.
> >
> > Those commits in Salsa come directly from upstream's 1.11.1, you can confirm
> > that the commit id is the same:
> > https://github.com/albertito/chasquid/commits/v1.11.1/
> >
> > This is what I consider a "reasonable minimum" set of changes to fix the
> > vulnerability. Any less would mean failing or reduced tests for the fixes,
> > which I don't think that is a good tradeoff.
> >
> > I hope this explanation helps!
> >
> >
> > > Seems I got a few things mixed up and maybe offered wrong advice in my previous
> > > email -- sorry!
> >
> > No worries! These things get confusing :S
> >
> >
> > > I've CC'ed security team as per the documented procedure[1], and will wait for their
> > > reply on this matter, and we can take it forward for stable uploads from there.
> > >
> > > [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
> >
> > Thank you, please let me know if there are any other questions or
> > clarification needed!
>
> Thanks for the details. Can you fix this issue in the upcoming point
> releases? They are planned to be announced for the beginning of
> february.
>
> As there sees to be no CVE assigned for the issue in chasquid, I have
> requested one from MITRE.
There is a CVE: CVE-2023-52354.
Regards,
Salvatore
Reply to: