[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927360: marked as done (unblock: dovecot/1:2.3.4.1-4)

Your message dated Thu, 18 Apr 2019 13:26:00 +0000
with message-id <c9d0f5c8-cab8-7a2c-99a0-b05e3c429693@thykier.net>
and subject line Re: Bug#927360: unblock: dovecot/1:2.3.4.1-4
has caused the Debian Bug report #927360,
regarding unblock: dovecot/1:2.3.4.1-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927360: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927360
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package dovecot

Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to 
processing of invalid external input. The issue is known as 
CVE-2019-10691[1], and was fixed in the Debian package by backporting 
the upstream fix.

Full source debdiff attached.

Regards,
Apollon

[1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html

unblock dovecot/1:2.3.4.1-4

diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog	2019-03-25 23:06:01.000000000 +0200
+++ dovecot-2.3.4.1/debian/changelog	2019-04-18 10:21:19.000000000 +0300
@@ -1,3 +1,9 @@
+dovecot (1:2.3.4.1-4) unstable; urgency=high
+
+  * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691)
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org>  Thu, 18 Apr 2019 10:21:19 +0300
+
 dovecot (1:2.3.4.1-3) unstable; urgency=high
 
   * [07c9212] Fix two buffer overflows when reading oversized FTS headers
diff -Nru dovecot-2.3.4.1/debian/patches/CVE-2019-10691 dovecot-2.3.4.1/debian/patches/CVE-2019-10691
--- dovecot-2.3.4.1/debian/patches/CVE-2019-10691	1970-01-01 02:00:00.000000000 +0200
+++ dovecot-2.3.4.1/debian/patches/CVE-2019-10691	2019-04-18 10:21:19.000000000 +0300
@@ -0,0 +1,66 @@
+From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Tue, 2 Apr 2019 13:09:48 +0300
+Subject: [PATCH 1/2] lib: json - Escape invalid UTF-8 as unicode bytes
+
+This prevents dovecot from crashing if invalid UTF-8 input
+is given.
+---
+ src/lib/json-parser.c      | 12 ++++++++----
+ src/lib/test-json-parser.c |  8 ++++----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c
+index 677091d64..e7846a329 100644
+--- a/src/lib/json-parser.c
++++ b/src/lib/json-parser.c
+@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s
+ 
+ 	for (i = 0; i < size;) {
+ 		bytes = uni_utf8_get_char_n(src+i, size-i, &chr);
+-		/* refuse to add invalid data */
+-		i_assert(bytes > 0 && uni_is_valid_ucs4(chr));
+-		json_append_escaped_ucs4(dest, chr);
+-		i += bytes;
++		if (bytes > 0 && uni_is_valid_ucs4(chr)) {
++			json_append_escaped_ucs4(dest, chr);
++			i += bytes;
++		} else {
++			str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8,
++					      UTF8_REPLACEMENT_CHAR_LEN);
++			i++;
++		}
+ 	}
+ }
+diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c
+index bae6fb202..9ce1e489b 100644
+--- a/src/lib/test-json-parser.c
++++ b/src/lib/test-json-parser.c
+@@ -267,20 +267,20 @@ static void test_json_append_escaped(void)
+ 	string_t *str = t_str_new(32);
+ 
+ 	test_begin("json_append_escaped()");
+-	json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7");
+-	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
++	json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff");
++	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
+ 	test_end();
+ }
+ 
+ static void test_json_append_escaped_data(void)
+ {
+ 	static const unsigned char test_input[] =
+-		"\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7";
++		"\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff";
+ 	string_t *str = t_str_new(32);
+ 
+ 	test_begin("json_append_escaped()");
+ 	json_append_escaped_data(str, test_input, sizeof(test_input)-1);
+-	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
++	test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
+ 	test_end();
+ }
+ 
+-- 
+2.11.0
+
diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series	2019-03-25 23:06:01.000000000 +0200
+++ dovecot-2.3.4.1/debian/patches/series	2019-04-18 10:21:19.000000000 +0300
@@ -10,4 +10,5 @@
 lib-master-test-event-stats-Use-PRIu64-format.patch
 avoid-double-closing-mysql.patch
 CVE-2019-7524
+CVE-2019-10691
 debian-changes

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Apollon Oikonomopoulos:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package dovecot
> 
> Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to 
> processing of invalid external input. The issue is known as 
> CVE-2019-10691[1], and was fixed in the Debian package by backporting 
> the upstream fix.
> 
> Full source debdiff attached.
> 
> Regards,
> Apollon
> 
> [1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html
> 
> unblock dovecot/1:2.3.4.1-4
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: