Bug#927360: unblock: dovecot/1:2.3.4.1-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#927360: unblock: dovecot/1:2.3.4.1-4
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Thu, 18 Apr 2019 15:31:43 +0300
Message-id: <[🔎] 20190418123142.GA15414@marvin.dmesg.gr>
Reply-to: Apollon Oikonomopoulos <apoikos@debian.org>, 927360@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package dovecot

Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to 
processing of invalid external input. The issue is known as 
CVE-2019-10691[1], and was fixed in the Debian package by backporting 
the upstream fix.

Full source debdiff attached.

Regards,
Apollon

[1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html

unblock dovecot/1:2.3.4.1-4

diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog	2019-03-25 23:06:01.000000000 +0200
+++ dovecot-2.3.4.1/debian/changelog	2019-04-18 10:21:19.000000000 +0300
@@ -1,3 +1,9 @@
+dovecot (1:2.3.4.1-4) unstable; urgency=high
+
+  * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691)
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org>  Thu, 18 Apr 2019 10:21:19 +0300
+
 dovecot (1:2.3.4.1-3) unstable; urgency=high
 
   * [07c9212] Fix two buffer overflows when reading oversized FTS headers
diff -Nru dovecot-2.3.4.1/debian/patches/CVE-2019-10691 dovecot-2.3.4.1/debian/patches/CVE-2019-10691
--- dovecot-2.3.4.1/debian/patches/CVE-2019-10691	1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.3.4.1/debian/patches/CVE-2019-10691	2019-04-18 10:21:19.000000000 +0300
@@ -0,0 +1,66 @@
+From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Tue, 2 Apr 2019 13:09:48 +0300
+Subject: [PATCH 1/2] lib: json - Escape invalid UTF-8 as unicode bytes
+
+This prevents dovecot from crashing if invalid UTF-8 input
+is given.
+---
+ src/lib/json-parser.c      | 12 ++++++++----
+ src/lib/test-json-parser.c |  8 ++++----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c
+index 677091d64..e7846a329 100644
+--- a/src/lib/json-parser.c
++++ b/src/lib/json-parser.c
+@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s
+ 
+ 	for (i = 0; i < size;) {
+ 		bytes = uni_utf8_get_char_n(src+i, size-i, &chr);
+-		/* refuse to add invalid data */
+-		i_assert(bytes > 0 && uni_is_valid_ucs4(chr));
+-		json_append_escaped_ucs4(dest, chr);
+-		i += bytes;
++		if (bytes > 0 && uni_is_valid_ucs4(chr)) {
++			json_append_escaped_ucs4(dest, chr);
++			i += bytes;
++		} else {
++			str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8,
++					      UTF8_REPLACEMENT_CHAR_LEN);
++			i++;
++		}
+ 	}
+ }
+diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c
+index bae6fb202..9ce1e489b 100644
+--- a/src/lib/test-json-parser.c
++++ b/src/lib/test-json-parser.c
+@@ -267,20 +267,20 @@ static void test_json_append_escaped(void)
+ 	string_t *str = t_str_new(32);
+ 
+ 	test_begin("json_append_escaped()");
+-	json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7");
+-	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
++	json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff");
++	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
+ 	test_end();
+ }
+ 
+ static void test_json_append_escaped_data(void)
+ {
+ 	static const unsigned char test_input[] =
+-		"\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7";
++		"\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff";
+ 	string_t *str = t_str_new(32);
+ 
+ 	test_begin("json_append_escaped()");
+ 	json_append_escaped_data(str, test_input, sizeof(test_input)-1);
+-	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
++	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
+ 	test_end();
+ }
+ 
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series	2019-03-25 23:06:01.000000000 +0200
+++ dovecot-2.3.4.1/debian/patches/series	2019-04-18 10:21:19.000000000 +0300
@@ -10,4 +10,5 @@
 lib-master-test-event-stats-Use-PRIu64-format.patch
 avoid-double-closing-mysql.patch
 CVE-2019-7524
+CVE-2019-10691
 debian-changes

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#927360: marked as done (unblock: dovecot/1:2.3.4.1-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#927296: unblock: musescore/2.3.2+dfsg2-5
Next by Date: Bug#927361: unblock: node-superagent/0.20.0+dfsg-2
Previous by thread: Bug#924459: marked as done (transition: libdmtx)
Next by thread: Bug#927360: marked as done (unblock: dovecot/1:2.3.4.1-4)
Index(es):
- Date
- Thread