Bug#989668: buster-pu: package isync/1.3.0-2.2~deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org
Hi Stable release managers,
I would like to propose to include in the upcoming point release an
isync update, versioned as 1.3.0-2.2~deb10u1, which is a rebuild of
the version in unstable containing two CVE fixes.
I decided to opt for the rebuild including the CVE fixes because the
only other change in 1.3.0-2.1 was the debian/watch switch to the
https URL.
[ Reason ]
Fix for CVE-2021-3578 and CVE-2021-20247 for buster.
[ Impact ]
We keep CVE-2021-3578 and CVE-2021-20247 affecting buster. The CVEs on
the other hand are not warranting a DSA.
[ Tests ]
None specifically.
[ Risks ]
We apply the same changes as in unstable, and TTBOMK no regression
reports were reported. The update was acked to be unblocked to
testing.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply the upstream fixes for CVE-2021-3578 and CVE-2021-20247,
additionally Ondrej Novy updated the debian/watch used URL to use
HTTPS.
[ Other info ]
None
Regards,
Salvatore
diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog
--- isync-1.3.0/debian/changelog 2018-09-02 19:31:35.000000000 +0200
+++ isync-1.3.0/debian/changelog 2021-06-09 21:21:48.000000000 +0200
@@ -1,3 +1,31 @@
+isync (1.3.0-2.2~deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for buster
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 09 Jun 2021 21:21:48 +0200
+
+isync (1.3.0-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * fix handling of unexpected APPENDUID response code (CVE-2021-3578)
+ (Closes: #989564)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 07 Jun 2021 21:03:56 +0200
+
+isync (1.3.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Ondřej Nový ]
+ * d/watch: Use https protocol
+
+ [ Salvatore Bonaccorso ]
+ * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247)
+ (Closes: #983351)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 22 Feb 2021 21:09:21 +0100
+
isync (1.3.0-2) unstable; urgency=medium
* Update vcs-* to point to salsa.d.o
diff -Nru isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
--- isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch 1970-01-01 01:00:00.000000000 +0100
+++ isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch 2021-06-09 21:21:48.000000000 +0200
@@ -0,0 +1,80 @@
+From 5fbed519180f155a017a438e479b6268b74b9526 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@users.sf.net>
+Date: Wed, 14 Apr 2021 16:58:27 +0200
+Subject: [PATCH] fix handling of unexpected APPENDUID response code
+
+if the code was sent in response to anything but a STORE, we'd overwrite
+a data pointer in one of our imap_cmd subclasses, an allocator data
+structure, or the start of the next allocation, with an int that was
+completely under the server's control. it's plausible that this could be
+exploited for remote code execution.
+
+to avoid this, we could ensure that the object is of the right type
+prior to casting, by using a new flag in the parameter block. but it's
+easier to just dispose of the out_uid field altogether and reuse the uid
+field that is present in the parameter block anyway, but was used only
+for FETCH commands so far.
+
+this problem was found by Lukas Braun <koomi@moshbit.net> using a
+fuzzer.
+---
+ src/drv_imap.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index fbe2fed..4cc3b2a 100644
+--- a/src/drv_imap.c
++++ b/src/drv_imap.c
+@@ -181,7 +181,6 @@ typedef struct {
+ imap_cmd_t gen;
+ void (*callback)( int sts, uint uid, void *aux );
+ void *callback_aux;
+- uint out_uid;
+ } imap_cmd_out_uid_t;
+
+ typedef struct {
+@@ -1184,11 +1183,22 @@ parse_response_code( imap_store_t *ctx, imap_cmd_t *cmd, char *s )
+ */
+ for (; isspace( (uchar)*p ); p++);
+ error( "*** IMAP ALERT *** %s\n", p );
+- } else if (cmd && !strcmp( "APPENDUID", arg )) {
++ } else if (!strcmp( "APPENDUID", arg )) {
++ // The checks ensure that:
++ // - cmd => this is the final tagged response of a command, at which
++ // point cmd was already removed from ctx->in_progress, so param.uid
++ // is available for reuse.
++ // - !param.uid => the command isn't actually a FETCH. This doesn't
++ // really matter, as the field is safe to overwrite given the
++ // previous condition; it just has no effect for non-APPENDs.
++ if (!cmd || cmd->param.uid) {
++ error( "IMAP error: unexpected APPENDUID status\n" );
++ return RESP_CANCEL;
++ }
+ if (!(arg = next_arg( &s )) ||
+ (ctx->uidvalidity = strtoul( arg, &earg, 10 ), *earg) ||
+ !(arg = next_arg( &s )) ||
+- (((imap_cmd_out_uid_t *)cmd)->out_uid = strtoul( arg, &earg, 10 ), *earg))
++ (cmd->param.uid = strtoul( arg, &earg, 10 ), *earg))
+ {
+ error( "IMAP error: malformed APPENDUID status\n" );
+ return RESP_CANCEL;
+@@ -2957,7 +2967,6 @@ imap_store_msg( store_t *gctx, msg_data_t *data, int to_trash,
+ ctx->buffer_mem += data->len;
+ cmd->gen.param.data_len = data->len;
+ cmd->gen.param.data = data->data;
+- cmd->out_uid = 0;
+
+ if (to_trash) {
+ cmd->gen.param.create = 1;
+@@ -2990,7 +2999,7 @@ imap_store_msg_p2( imap_store_t *ctx ATTR_UNUSED, imap_cmd_t *cmd, int response
+ imap_cmd_out_uid_t *cmdp = (imap_cmd_out_uid_t *)cmd;
+
+ transform_msg_response( &response );
+- cmdp->callback( response, cmdp->out_uid, cmdp->callback_aux );
++ cmdp->callback( response, cmdp->gen.param.uid, cmdp->callback_aux );
+ }
+
+ /******************* imap_find_new_msgs *******************/
+--
+2.31.1.2.g8c0bdb8a70
+
diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch
--- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 01:00:00.000000000 +0100
+++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2021-06-09 21:21:48.000000000 +0200
@@ -0,0 +1,68 @@
+>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@users.sf.net>
+Date: Sun, 14 Feb 2021 20:42:37 +0100
+Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
+
+in particular, '..' in the name could be used to escape the Path/Inbox
+of a Maildir Store, which could be exploited for stealing or deleting
+data, or staging a (mild) DoS attack.
+---
+ src/drv_imap.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index 810479e..fbe2fed 100644
+--- a/src/drv_imap.c
++++ b/src/drv_imap.c
+@@ -1258,11 +1258,12 @@ static int
+ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ {
+ string_list_t *narg;
+- char *arg;
++ char *arg, c;
+ int argl, l;
+
+ if (!is_atom( list )) {
+ error( "IMAP error: malformed LIST response\n" );
++ listbad:
+ free_list( list );
+ return LIST_BAD;
+ }
+@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg );
+ goto skip;
+ }
++ // Validate the normalized name. Technically speaking, we could tolerate
++ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir
++ // driver, but there isn't really a legitimate reason for these being present.
++ for (const char *p = narg->string, *sp = p;;) {
++ if (!(c = *p) || c == '/') {
++ uint pcl = (uint)(p - sp);
++ if (!pcl) {
++ error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string );
++ free( narg );
++ goto skip;
++ }
++ if (pcl == 1 && sp[0] == '.') {
++ error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string );
++ free( narg );
++ goto skip;
++ }
++ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') {
++ error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string );
++ free( narg );
++ goto listbad;
++ }
++ if (!c)
++ break;
++ sp = ++p;
++ } else {
++ ++p;
++ }
++ }
+ narg->next = ctx->boxes;
+ ctx->boxes = narg;
+ skip:
+--
+2.29.2.2.g268056bf11.dirty
+
diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series
--- isync-1.3.0/debian/patches/series 2018-09-02 19:31:35.000000000 +0200
+++ isync-1.3.0/debian/patches/series 2021-06-09 21:21:48.000000000 +0200
@@ -1 +1,3 @@
01_sni.patch
+reject-funny-mailbox-names--1.3.patch
+fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch
--- isync-1.3.0/debian/watch 2018-09-02 19:31:35.000000000 +0200
+++ isync-1.3.0/debian/watch 2021-06-09 21:21:48.000000000 +0200
@@ -1,2 +1,2 @@
version=3
-http://sf.net/isync/ isync-(.*)\.tar\.gz
+https://sf.net/isync/ isync-(.*)\.tar\.gz
Reply to: