[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989668: marked as done (buster-pu: package isync/1.3.0-2.2~deb10u1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #989668,
regarding buster-pu: package isync/1.3.0-2.2~deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989668
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org

Hi Stable release managers,

I would like to propose to include in the upcoming point release an
isync update, versioned as 1.3.0-2.2~deb10u1, which is a rebuild of
the version in unstable containing two CVE fixes.

I decided to opt for the rebuild including the CVE fixes because the
only other change in 1.3.0-2.1 was the debian/watch switch to the
https URL.

[ Reason ]
Fix for CVE-2021-3578 and CVE-2021-20247 for buster.

[ Impact ]
We keep CVE-2021-3578 and CVE-2021-20247 affecting buster. The CVEs on
the other hand are not warranting a DSA.

[ Tests ]
None specifically.

[ Risks ]
We apply the same changes as in unstable, and TTBOMK no regression
reports were reported. The update was acked to be unblocked to
testing.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply the upstream fixes for CVE-2021-3578 and CVE-2021-20247,
additionally Ondrej Novy updated the debian/watch used URL to use
HTTPS.

[ Other info ]
None

Regards,
Salvatore

diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog
--- isync-1.3.0/debian/changelog	2018-09-02 19:31:35.000000000 +0200
+++ isync-1.3.0/debian/changelog	2021-06-09 21:21:48.000000000 +0200
@@ -1,3 +1,31 @@
+isync (1.3.0-2.2~deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for buster
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 09 Jun 2021 21:21:48 +0200
+
+isync (1.3.0-2.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * fix handling of unexpected APPENDUID response code (CVE-2021-3578)
+    (Closes: #989564)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 07 Jun 2021 21:03:56 +0200
+
+isync (1.3.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+
+  [ Ondřej Nový ]
+  * d/watch: Use https protocol
+
+  [ Salvatore Bonaccorso ]
+  * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247)
+    (Closes: #983351)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 22 Feb 2021 21:09:21 +0100
+
 isync (1.3.0-2) unstable; urgency=medium
 
   * Update vcs-* to point to salsa.d.o
diff -Nru isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
--- isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch	1970-01-01 01:00:00.000000000 +0100
+++ isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch	2021-06-09 21:21:48.000000000 +0200
@@ -0,0 +1,80 @@
+From 5fbed519180f155a017a438e479b6268b74b9526 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@users.sf.net>
+Date: Wed, 14 Apr 2021 16:58:27 +0200
+Subject: [PATCH] fix handling of unexpected APPENDUID response code
+
+if the code was sent in response to anything but a STORE, we'd overwrite
+a data pointer in one of our imap_cmd subclasses, an allocator data
+structure, or the start of the next allocation, with an int that was
+completely under the server's control. it's plausible that this could be
+exploited for remote code execution.
+
+to avoid this, we could ensure that the object is of the right type
+prior to casting, by using a new flag in the parameter block. but it's
+easier to just dispose of the out_uid field altogether and reuse the uid
+field that is present in the parameter block anyway, but was used only
+for FETCH commands so far.
+
+this problem was found by Lukas Braun <koomi@moshbit.net> using a
+fuzzer.
+---
+ src/drv_imap.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index fbe2fed..4cc3b2a 100644
+--- a/src/drv_imap.c
++++ b/src/drv_imap.c
+@@ -181,7 +181,6 @@ typedef struct {
+ 	imap_cmd_t gen;
+ 	void (*callback)( int sts, uint uid, void *aux );
+ 	void *callback_aux;
+-	uint out_uid;
+ } imap_cmd_out_uid_t;
+ 
+ typedef struct {
+@@ -1184,11 +1183,22 @@ parse_response_code( imap_store_t *ctx, imap_cmd_t *cmd, char *s )
+ 		 */
+ 		for (; isspace( (uchar)*p ); p++);
+ 		error( "*** IMAP ALERT *** %s\n", p );
+-	} else if (cmd && !strcmp( "APPENDUID", arg )) {
++	} else if (!strcmp( "APPENDUID", arg )) {
++		// The checks ensure that:
++		// - cmd => this is the final tagged response of a command, at which
++		//   point cmd was already removed from ctx->in_progress, so param.uid
++		//   is available for reuse.
++		// - !param.uid => the command isn't actually a FETCH. This doesn't
++		//   really matter, as the field is safe to overwrite given the
++		//   previous condition; it just has no effect for non-APPENDs.
++		if (!cmd || cmd->param.uid) {
++			error( "IMAP error: unexpected APPENDUID status\n" );
++			return RESP_CANCEL;
++		}
+ 		if (!(arg = next_arg( &s )) ||
+ 		    (ctx->uidvalidity = strtoul( arg, &earg, 10 ), *earg) ||
+ 		    !(arg = next_arg( &s )) ||
+-		    (((imap_cmd_out_uid_t *)cmd)->out_uid = strtoul( arg, &earg, 10 ), *earg))
++		    (cmd->param.uid = strtoul( arg, &earg, 10 ), *earg))
+ 		{
+ 			error( "IMAP error: malformed APPENDUID status\n" );
+ 			return RESP_CANCEL;
+@@ -2957,7 +2967,6 @@ imap_store_msg( store_t *gctx, msg_data_t *data, int to_trash,
+ 	ctx->buffer_mem += data->len;
+ 	cmd->gen.param.data_len = data->len;
+ 	cmd->gen.param.data = data->data;
+-	cmd->out_uid = 0;
+ 
+ 	if (to_trash) {
+ 		cmd->gen.param.create = 1;
+@@ -2990,7 +2999,7 @@ imap_store_msg_p2( imap_store_t *ctx ATTR_UNUSED, imap_cmd_t *cmd, int response
+ 	imap_cmd_out_uid_t *cmdp = (imap_cmd_out_uid_t *)cmd;
+ 
+ 	transform_msg_response( &response );
+-	cmdp->callback( response, cmdp->out_uid, cmdp->callback_aux );
++	cmdp->callback( response, cmdp->gen.param.uid, cmdp->callback_aux );
+ }
+ 
+ /******************* imap_find_new_msgs *******************/
+-- 
+2.31.1.2.g8c0bdb8a70
+
diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch
--- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch	1970-01-01 01:00:00.000000000 +0100
+++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch	2021-06-09 21:21:48.000000000 +0200
@@ -0,0 +1,68 @@
+>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@users.sf.net>
+Date: Sun, 14 Feb 2021 20:42:37 +0100
+Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
+
+in particular, '..' in the name could be used to escape the Path/Inbox
+of a Maildir Store, which could be exploited for stealing or deleting
+data, or staging a (mild) DoS attack.
+---
+ src/drv_imap.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index 810479e..fbe2fed 100644
+--- a/src/drv_imap.c
++++ b/src/drv_imap.c
+@@ -1258,11 +1258,12 @@ static int
+ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ {
+ 	string_list_t *narg;
+-	char *arg;
++	char *arg, c;
+ 	int argl, l;
+ 
+ 	if (!is_atom( list )) {
+ 		error( "IMAP error: malformed LIST response\n" );
++	  listbad:
+ 		free_list( list );
+ 		return LIST_BAD;
+ 	}
+@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ 		warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg );
+ 		goto skip;
+ 	}
++	// Validate the normalized name. Technically speaking, we could tolerate
++	// '//' and '/./', and '/../' being forbidden is a limitation of the Maildir
++	// driver, but there isn't really a legitimate reason for these being present.
++	for (const char *p = narg->string, *sp = p;;) {
++		if (!(c = *p) || c == '/') {
++			uint pcl = (uint)(p - sp);
++			if (!pcl) {
++				error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string );
++				free( narg );
++				goto skip;
++			}
++			if (pcl == 1 && sp[0] == '.') {
++				error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string );
++				free( narg );
++				goto skip;
++			}
++			if (pcl == 2 && sp[0] == '.' && sp[1] == '.') {
++				error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string );
++				free( narg );
++				goto listbad;
++			}
++			if (!c)
++				break;
++			sp = ++p;
++		} else {
++			++p;
++		}
++	}
+ 	narg->next = ctx->boxes;
+ 	ctx->boxes = narg;
+   skip:
+-- 
+2.29.2.2.g268056bf11.dirty
+
diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series
--- isync-1.3.0/debian/patches/series	2018-09-02 19:31:35.000000000 +0200
+++ isync-1.3.0/debian/patches/series	2021-06-09 21:21:48.000000000 +0200
@@ -1 +1,3 @@
 01_sni.patch
+reject-funny-mailbox-names--1.3.patch
+fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch
--- isync-1.3.0/debian/watch	2018-09-02 19:31:35.000000000 +0200
+++ isync-1.3.0/debian/watch	2021-06-09 21:21:48.000000000 +0200
@@ -1,2 +1,2 @@
 version=3
-http://sf.net/isync/ isync-(.*)\.tar\.gz
+https://sf.net/isync/ isync-(.*)\.tar\.gz

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: