Bug#945122: buster-pu: package cyrus-imapd/3.0.8-6+deb10u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#945122: buster-pu: package cyrus-imapd/3.0.8-6+deb10u2
From: Xavier Guimard <yadd@debian.org>
Date: Wed, 20 Nov 2019 07:38:45 +0100
Message-id: <[🔎] 157423192510.764827.1708568246041911910.reportbug@deb007.xnr.fr>
Reply-to: Xavier Guimard <yadd@debian.org>, 945122@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

cyrus-imapd is vulnerable to CVE-2019-18928: privilege escalation on HTTP
request. This is a minor vulnerability since authentication is already
vulnerable when using non-SSL connection. However, this little patch
fixes the problem.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 8023011..b011c8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high
+
+  * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928)
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 19 Nov 2019 22:21:32 +0100
+
 cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium
 
   * Add patch to fix data loss on upgrade from versions ≤ 3.0.0
diff --git a/debian/patches/CVE-2019-18928.patch b/debian/patches/CVE-2019-18928.patch
new file mode 100644
index 0000000..41bbad8
--- /dev/null
+++ b/debian/patches/CVE-2019-18928.patch
@@ -0,0 +1,38 @@
+Description: fix privilege escalation
+ Only allow reuse of auth creds on a persistent connection against a backend
+ server in a Murder
+Author: Ken Murchison <murch@fastmail.com>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-11-19
+
+--- a/imap/httpd.c
++++ b/imap/httpd.c
+@@ -1729,6 +1729,25 @@
+         txn->auth_chal.scheme = NULL;
+     }
+ 
++    /* Drop auth credentials, if not a backend in a Murder */
++    else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) {
++        syslog(LOG_DEBUG, "drop auth creds");
++
++        free(httpd_userid);
++        httpd_userid = NULL;
++
++        free(httpd_extrafolder);
++        httpd_extrafolder = NULL;
++
++        free(httpd_extradomain);
++        httpd_extradomain = NULL;
++
++        if (httpd_authstate) {
++            auth_freestate(httpd_authstate);
++            httpd_authstate = NULL;
++        }
++    }
++
+     /* Perform proxy authorization, if necessary */
+     else if (saslprops.authid &&
+              (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&
diff --git a/debian/patches/series b/debian/patches/series
index e9631e4..c66f980 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@
 0023-fix-memory-leak-on-ldap-failure.patch
 CVE-2019-11356.patch
 0024-dont-skip-records-with-modseq-0.patch
+CVE-2019-18928.patch

Reply to:

Prev by Date: NEW changes in stable-new
Next by Date: Bug#942415: marked as done (transition: meta-kdepim)
Previous by thread: Processed: Re: Bug#945113: transition: hwloc
Next by thread: Bug#942415: marked as done (transition: meta-kdepim)
Index(es):
- Date
- Thread