Bug#945122: buster-pu: package cyrus-imapd/3.0.8-6+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
cyrus-imapd is vulnerable to CVE-2019-18928: privilege escalation on HTTP
request. This is a minor vulnerability since authentication is already
vulnerable when using non-SSL connection. However, this little patch
fixes the problem.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 8023011..b011c8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high
+
+ * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928)
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 19 Nov 2019 22:21:32 +0100
+
cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium
* Add patch to fix data loss on upgrade from versions ≤ 3.0.0
diff --git a/debian/patches/CVE-2019-18928.patch b/debian/patches/CVE-2019-18928.patch
new file mode 100644
index 0000000..41bbad8
--- /dev/null
+++ b/debian/patches/CVE-2019-18928.patch
@@ -0,0 +1,38 @@
+Description: fix privilege escalation
+ Only allow reuse of auth creds on a persistent connection against a backend
+ server in a Murder
+Author: Ken Murchison <murch@fastmail.com>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-11-19
+
+--- a/imap/httpd.c
++++ b/imap/httpd.c
+@@ -1729,6 +1729,25 @@
+ txn->auth_chal.scheme = NULL;
+ }
+
++ /* Drop auth credentials, if not a backend in a Murder */
++ else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) {
++ syslog(LOG_DEBUG, "drop auth creds");
++
++ free(httpd_userid);
++ httpd_userid = NULL;
++
++ free(httpd_extrafolder);
++ httpd_extrafolder = NULL;
++
++ free(httpd_extradomain);
++ httpd_extradomain = NULL;
++
++ if (httpd_authstate) {
++ auth_freestate(httpd_authstate);
++ httpd_authstate = NULL;
++ }
++ }
++
+ /* Perform proxy authorization, if necessary */
+ else if (saslprops.authid &&
+ (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&
diff --git a/debian/patches/series b/debian/patches/series
index e9631e4..c66f980 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@
0023-fix-memory-leak-on-ldap-failure.patch
CVE-2019-11356.patch
0024-dont-skip-records-with-modseq-0.patch
+CVE-2019-18928.patch
Reply to: