Bug#945122: marked as done (buster-pu: package cyrus-imapd/3.0.8-6+deb10u2)

Subject: Bug#945122: marked as done (buster-pu: package cyrus-imapd/3.0.8-6+deb10u2)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Tue, 17 Dec 2019 09:15:05 +0000

Message-id: <[🔎] handler.945122.D945122.157657383511863.ackdone@bugs.debian.org>

References: <DE5202C3-7DE0-4DD2-BD05-F9448AA26A1B@debian.org> <157423192510.764827.1708568246041911910.reportbug@deb007.xnr.fr>

Your message dated Tue, 17 Dec 2019 10:06:11 +0100 with message-id <DE5202C3-7DE0-4DD2-BD05-F9448AA26A1B@debian.org> and subject line Re: cyrus-imapd: fix for CVE-2019-19783 has caused the Debian Bug report #945122, regarding buster-pu: package cyrus-imapd/3.0.8-6+deb10u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 945122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945122 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package cyrus-imapd/3.0.8-6+deb10u2
From: Xavier Guimard <yadd@debian.org>
Date: Wed, 20 Nov 2019 07:38:45 +0100
Message-id: <157423192510.764827.1708568246041911910.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

cyrus-imapd is vulnerable to CVE-2019-18928: privilege escalation on HTTP
request. This is a minor vulnerability since authentication is already
vulnerable when using non-SSL connection. However, this little patch
fixes the problem.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 8023011..b011c8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high
+
+  * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928)
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 19 Nov 2019 22:21:32 +0100
+
 cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium
 
   * Add patch to fix data loss on upgrade from versions ≤ 3.0.0
diff --git a/debian/patches/CVE-2019-18928.patch b/debian/patches/CVE-2019-18928.patch
new file mode 100644
index 0000000..41bbad8
--- /dev/null
+++ b/debian/patches/CVE-2019-18928.patch
@@ -0,0 +1,38 @@
+Description: fix privilege escalation
+ Only allow reuse of auth creds on a persistent connection against a backend
+ server in a Murder
+Author: Ken Murchison <murch@fastmail.com>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-11-19
+
+--- a/imap/httpd.c
++++ b/imap/httpd.c
+@@ -1729,6 +1729,25 @@
+         txn->auth_chal.scheme = NULL;
+     }
+ 
++    /* Drop auth credentials, if not a backend in a Murder */
++    else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) {
++        syslog(LOG_DEBUG, "drop auth creds");
++
++        free(httpd_userid);
++        httpd_userid = NULL;
++
++        free(httpd_extrafolder);
++        httpd_extrafolder = NULL;
++
++        free(httpd_extradomain);
++        httpd_extradomain = NULL;
++
++        if (httpd_authstate) {
++            auth_freestate(httpd_authstate);
++            httpd_authstate = NULL;
++        }
++    }
++
+     /* Perform proxy authorization, if necessary */
+     else if (saslprops.authid &&
+              (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&
diff --git a/debian/patches/series b/debian/patches/series
index e9631e4..c66f980 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@
 0023-fix-memory-leak-on-ldap-failure.patch
 CVE-2019-11356.patch
 0024-dont-skip-records-with-modseq-0.patch
+CVE-2019-18928.patch

--- End Message ---

--- Begin Message ---

To: 945122-done@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: cyrus-imapd: fix for CVE-2019-19783
From: Xavier <yadd@debian.org>
Date: Tue, 17 Dec 2019 10:06:11 +0100
Message-id: <DE5202C3-7DE0-4DD2-BD05-F9448AA26A1B@debian.org>
In-reply-to: <20191217075858.bxppha4u3pgrhuv6@inutil.org>
References: <835aa2f1-391c-8206-f17d-682aa72ac31a@debian.org> <20191216102419.2p45nprtidms4fpv@inutil.org> <C6F86DC0-2757-4348-93EF-51154B3D8BDB@debian.org> <889ce212-ece7-42b8-8dce-695835aed916@debian.org> <20191217075858.bxppha4u3pgrhuv6@inutil.org>

Will be fixed in a DSA

Le 17 décembre 2019 08:58:58 GMT+01:00, Moritz Muehlenhoff <jmm@inutil.org> a écrit :

On Mon, Dec 16, 2019 at 11:34:35PM +0100, Xavier wrote:
Hi all,

I made a mistake; fix for cyrus-3.0 includes also fix for CVE-2019-18928
(no-dsa) which was not already accepted by release.debian.org (next
point release: #945122)

What can we do?
 * leave proposed package like this (2 d/ch entries) and close #945122
 * reject it and:
   * keep only CVE-2019-19783 fix
   * set only one d/ch entry with the 2 patches

That's fine, we can piggyback security issues formerly marked as no-dsa
if something more severe arises, that's normal procedure. Just close the
spu bug to avoid confusion for stable release managers.

Cheers,
        Moritz

--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
--- End Message ---

Reply to: