[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap



söndag 30 december 2018 kl. 09:38:57 CET skrev  Salvatore Bonaccorso:
> There is an alternative approach wich was raised by Magnus in the
> respective bug: https://bugs.debian.org/914632#12 (and see followup
> from Moritz).

So, is it OK to upload this (assuming there's no code out there that actually 
uses SET_RSHPATH or SET_SSHPATH)?

(By no longer defining RSHPATH, rshpath doesn't get set by the following code 
and tcp_aopen() will return NIL without doing anything.

#ifdef RSHPATH			/* rsh path defined yet? */
  if (!rshpath) rshpath = cpystr (RSHPATH);
#endif

)

-- 
Magnus Holmgren        holmgren@debian.org
Debian Developer 
commit e644cfbd0aac25ef320912e58e0d37cb715b2b88
Author: Magnus Holmgren <magnus@kibibyte.se>
Date:   Sun Jan 13 21:07:41 2019 +0100

    [CVE-2018-19518] 2013_disable_rsh.patch (new): Disable access to IMAP mailboxes through running imapd over rsh (Closes: #914632).

diff --git a/debian/changelog b/debian/changelog
index b6960d1..cc7b885 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+uw-imap (8:2007f~dfsg-5+deb9u1) stretch-security; urgency=high
+
+  * [CVE-2018-19518] 2013_disable_rsh.patch (new): Disable access to IMAP
+    mailboxes through running imapd over rsh, and therefore ssh (Closes:
+    #914632). Code using the library can enable it with tcp_parameters()
+    after making sure that the IMAP server name is sanitized.
+
+ -- Magnus Holmgren <holmgren@debian.org>  Sun, 24 Feb 2019 19:45:23 +0100
+
 uw-imap (8:2007f~dfsg-5) unstable; urgency=low
 
   * 1006_openssl1.1_autoverify.patch (new): Use new features for
diff --git a/debian/patches/2013_disable_rsh.patch b/debian/patches/2013_disable_rsh.patch
new file mode 100644
index 0000000..7a68644
--- /dev/null
+++ b/debian/patches/2013_disable_rsh.patch
@@ -0,0 +1,11 @@
+--- a/src/osdep/unix/Makefile
++++ b/src/osdep/unix/Makefile
+@@ -985,7 +985,7 @@ onceenv:
+ 	 -DMD5ENABLE=\"$(MD5PWD)\" -DMAILSPOOL=\"$(MAILSPOOL)\" \
+ 	 -DANONYMOUSHOME=\"$(MAILSPOOL)/anonymous\" \
+ 	 -DACTIVEFILE=\"$(ACTIVEFILE)\" -DNEWSSPOOL=\"$(NEWSSPOOL)\" \
+-	 -DRSHPATH=\"$(RSHPATH)\" -DLOCKPGM=\"$(LOCKPGM)\" \
++	 -DLOCKPGM=\"$(LOCKPGM)\" \
+ 	 -DLOCKPGM1=\"$(LOCKPGM1)\" -DLOCKPGM2=\"$(LOCKPGM2)\" \
+ 	 -DLOCKPGM3=\"$(LOCKPGM3)\" > OSCFLAGS
+ 	echo $(BASELDFLAGS) $(EXTRALDFLAGS) > LDFLAGS
diff --git a/debian/patches/series b/debian/patches/series
index ced3fcc..80d69e8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 2012_krb5_multidev.patch
 1005_poll.patch
 1006_openssl1.1_autoverify.patch
+2013_disable_rsh.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: