Bug#930107: unblock: cyrus-imapd/3.0.8-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package cyrus-imapd
Hi all,
Cyrus-Imapd is vulnerable to remote arbitrary code execution via CalDAV
(CVE-2019-11356, tagged high). Fix is very trivial.
The proposed debdiff includes also a missing dependency that closes
#872238.
Cheers,
Xavier
unblock cyrus-imapd/3.0.8-6
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru cyrus-imapd-3.0.8/debian/changelog cyrus-imapd-3.0.8/debian/changelog
--- cyrus-imapd-3.0.8/debian/changelog 2019-05-16 11:42:29.000000000 +0200
+++ cyrus-imapd-3.0.8/debian/changelog 2019-06-07 06:41:23.000000000 +0200
@@ -1,3 +1,14 @@
+cyrus-imapd (3.0.8-6) unstable; urgency=medium
+
+ [ Anthony Prades ]
+ * Add cyrus-clients dependency on cyrus-murder (Closes: #872238)
+
+ [ Xavier Guimard ]
+ * Add patch to fix arbitrary code execution via CalDAV
+ (Closes: CVE-2019-11356)
+
+ -- Xavier Guimard <yadd@debian.org> Fri, 07 Jun 2019 06:41:23 +0200
+
cyrus-imapd (3.0.8-5) unstable; urgency=medium
[ Xavier Guimard ]
diff -Nru cyrus-imapd-3.0.8/debian/control cyrus-imapd-3.0.8/debian/control
--- cyrus-imapd-3.0.8/debian/control 2019-05-16 09:41:45.000000000 +0200
+++ cyrus-imapd-3.0.8/debian/control 2019-06-07 06:41:23.000000000 +0200
@@ -208,6 +208,7 @@
Depends: cyrus-common (= ${binary:Version}),
cyrus-imapd (= ${binary:Version}),
cyrus-pop3d (= ${binary:Version}),
+ cyrus-clients (= ${binary:Version}),
${misc:Depends},
${shlibs:Depends}
Description: Cyrus mail system - proxies and aggregator
diff -Nru cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch
--- cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch 1970-01-01 01:00:00.000000000 +0100
+++ cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch 2019-06-07 06:41:23.000000000 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2019-11356
+Author: Ken Murchison <murch@fastmail.com>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/a5779db8
+Bug: https://security-tracker.debian.org/tracker/CVE-2019-11356
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-06-07
+
+--- a/imap/httpd.c
++++ b/imap/httpd.c
+@@ -2202,7 +2202,7 @@
+ memset(&tm, 0, sizeof(struct tm));
+ tm.tm_isdst = -1;
+ sscanf(time, "%02d:%02d:%02d", &tm.tm_hour, &tm.tm_min, &tm.tm_sec);
+- sscanf(date, "%s %2d %4d", month, &tm.tm_mday, &tm.tm_year);
++ sscanf(date, "%3s %2d %4d", month, &tm.tm_mday, &tm.tm_year);
+ tm.tm_year -= 1900;
+ for (tm.tm_mon = 0; tm.tm_mon < 12; tm.tm_mon++) {
+ if (!strcmp(month, monthname[tm.tm_mon])) break;
+--- a/imap/ical_support.c
++++ b/imap/ical_support.c
+@@ -458,7 +458,7 @@
+
+ /* Check if this is an empty property error */
+ if (sscanf(errstr,
+- "No value for %s property", propname) == 1) {
++ "No value for %255s property", propname) == 1) {
+ /* Empty LOCATION is OK */
+ if (!strcasecmp(propname, "LOCATION")) continue;
+ if (!strcasecmp(propname, "COMMENT")) continue;
diff -Nru cyrus-imapd-3.0.8/debian/patches/series cyrus-imapd-3.0.8/debian/patches/series
--- cyrus-imapd-3.0.8/debian/patches/series 2019-05-16 11:26:33.000000000 +0200
+++ cyrus-imapd-3.0.8/debian/patches/series 2019-06-07 06:41:23.000000000 +0200
@@ -21,3 +21,4 @@
0021-support-mailboxes-with-spaces.patch
0022-close-backups-on-failure.patch
0023-fix-memory-leak-on-ldap-failure.patch
+CVE-2019-11356.patch
Reply to: