Bug#1001180: bullseye-pu: package isync/1.3.0-2.2+deb11u1

To: 1001180@bugs.debian.org
Cc: anarcat@debian.org
Subject: Bug#1001180: bullseye-pu: package isync/1.3.0-2.2+deb11u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 5 Dec 2021 21:35:50 +0100
Message-id: <Ya0ipj/5OL0zaUTG@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1001180@bugs.debian.org
In-reply-to: <[🔎] 163873621497.3224462.1169380010196625101.reportbug@elende.valinor.li>
References: <[🔎] 163873621497.3224462.1169380010196625101.reportbug@elende.valinor.li> <[🔎] 163873621497.3224462.1169380010196625101.reportbug@elende.valinor.li>

Hi,

On Sun, Dec 05, 2021 at 09:30:14PM +0100, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: carnil@debian.org,anarcat@debian.org
> 
> Hi SRM,
> 
> isync in bullseye is affected by CVE-2021-3657[1]. Upstream is
> providing as well explicit patches for the 1.3.x series. That said, I
> could not explicitly thest the package for the CVE is question.
> 
> But I'm X-Debbugs-CC'ing Antoine which might additionally be able to
> expose the package for bullseye to some real situation testing.

The debdiff attached now for real!

Regards,
Salvatore

diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog
--- isync-1.3.0/debian/changelog	2021-06-07 21:03:56.000000000 +0200
+++ isync-1.3.0/debian/changelog	2021-12-05 21:17:18.000000000 +0100
@@ -1,3 +1,10 @@
+isync (1.3.0-2.2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix multiple buffer overflows (CVE-2021-3657)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 05 Dec 2021 21:17:18 +0100
+
 isync (1.3.0-2.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru isync-1.3.0/debian/patches/CVE-2021-3657-buffer-overflows-on-big-1.3.patch isync-1.3.0/debian/patches/CVE-2021-3657-buffer-overflows-on-big-1.3.patch
--- isync-1.3.0/debian/patches/CVE-2021-3657-buffer-overflows-on-big-1.3.patch	1970-01-01 01:00:00.000000000 +0100
+++ isync-1.3.0/debian/patches/CVE-2021-3657-buffer-overflows-on-big-1.3.patch	2021-12-05 21:17:18.000000000 +0100
@@ -0,0 +1,145 @@
+>From 9f7f0c94b67e9506ebf8ca674dd6cbb6a7989f44 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@users.sf.net>
+Date: Wed, 24 Nov 2021 16:57:00 +0100
+Subject: [PATCH] CVE-2021-3657: security fixes
+
+unlike in the 1.4 branch, we use signed ints for offsets and lengths, so
+many of the qualifying statements from the 1.4 series don't apply.
+---
+ src/drv_imap.c    |  9 +++++++++
+ src/drv_maildir.c |  8 +++++++-
+ src/socket.c      |  8 ++++++--
+ src/sync.c        | 15 ++++++++++-----
+ 4 files changed, 32 insertions(+), 8 deletions(-)
+
+--- a/src/drv_imap.c
++++ b/src/drv_imap.c
+@@ -779,6 +779,11 @@ parse_imap_list( imap_store_t *ctx, char
+ 			bytes = cur->len = strtol( s + 1, &s, 10 );
+ 			if (*s != '}' || *++s)
+ 				goto bail;
++			if ((uint)bytes >= INT_MAX) {
++				error( "IMAP error: excessively large literal from %s "
++				       "- THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", ctx->conn.name );
++				goto bail;
++			}
+ 
+ 			s = cur->val = nfmalloc( cur->len + 1 );
+ 			s[cur->len] = 0;
+@@ -1259,6 +1264,10 @@ parse_list_rsp_p2( imap_store_t *ctx, li
+ 	}
+ 	arg = list->val;
+ 	argl = list->len;
++	if (argl > 1000) {
++		warn( "IMAP warning: ignoring unreasonably long mailbox name '%.100s[...]'\n", arg );
++		goto skip;
++	}
+ 	if ((l = strlen( ctx->prefix ))) {
+ 		if (starts_with( arg, argl, ctx->prefix, l )) {
+ 			arg += l;
+--- a/src/drv_maildir.c
++++ b/src/drv_maildir.c
+@@ -1142,7 +1142,8 @@ maildir_scan( maildir_store_t *ctx, msg_
+ 					}
+ 					goto retry;
+ 				}
+-				entry->size = st.st_size;
++				// The clipped value is good enough for MaxSize comparisons.
++				entry->size = st.st_size > INT_MAX ? INT_MAX : (int)st.st_size;
+ 			}
+ 			if (want_tuid || want_msgid) {
+ 				if (!(f = fopen( buf, "r" ))) {
+@@ -1528,12 +1529,17 @@ maildir_fetch_msg( store_t *gctx, messag
+ 		}
+ 	}
+ 	fstat( fd, &st );
++	if (st.st_size > INT_MAX) {
++		error( "Maildir error: %s is too big", buf );
++		goto mbad;
++	}
+ 	data->len = st.st_size;
+ 	if (data->date == -1)
+ 		data->date = st.st_mtime;
+ 	data->data = nfmalloc( data->len );
+ 	if (read( fd, data->data, data->len ) != data->len) {
+ 		sys_error( "Maildir error: cannot read %s", buf );
++	  mbad:
+ 		close( fd );
+ 		cb( DRV_MSG_BAD, aux );
+ 		return;
+--- a/src/socket.c
++++ b/src/socket.c
+@@ -837,6 +837,8 @@ do_append( conn_t *conn, buff_chunk_t *b
+ /* This is big enough to avoid excessive chunking, but is
+  * sufficiently small to keep SSL latency low with a slow uplink. */
+ #define WRITE_CHUNK_SIZE 1024
++// Huge data blocks (message payloads) are forcibly chunked.
++#define MAX_WRITE_CHUNK_SIZE (1 << 30)
+ 
+ static void
+ do_flush( conn_t *conn )
+@@ -891,7 +893,8 @@ do_flush( conn_t *conn )
+ void
+ socket_write( conn_t *conn, conn_iovec_t *iov, int iovcnt )
+ {
+-	int i, buf_avail, len, offset = 0, total = 0;
++	int i, buf_avail, len, offset = 0;
++	uint total = 0;
+ 	buff_chunk_t *bc;
+ 
+ 	for (i = 0; i < iovcnt; i++)
+@@ -910,7 +913,8 @@ socket_write( conn_t *conn, conn_iovec_t
+ 			 * predict a reasonable output buffer size anyway - deflatePending() does
+ 			 * not account for consumed but not yet compressed input, and adding up
+ 			 * the deflateBound()s would be a tad *too* pessimistic. */
+-			buf_avail = total > WRITE_CHUNK_SIZE ? total : WRITE_CHUNK_SIZE;
++			buf_avail = total > MAX_WRITE_CHUNK_SIZE ? MAX_WRITE_CHUNK_SIZE :
++					total > WRITE_CHUNK_SIZE ? total : WRITE_CHUNK_SIZE;
+ 			bc = nfmalloc( offsetof(buff_chunk_t, data) + buf_avail );
+ 			bc->len = 0;
+ #ifndef HAVE_LIBZ
+--- a/src/sync.c
++++ b/src/sync.c
+@@ -333,7 +333,7 @@ copy_msg_bytes( char **out_ptr, const ch
+ }
+ 
+ static int
+-copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
++copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t )
+ {
+ 	char *in_buf = vars->data.data;
+ 	int in_len = vars->data.len;
+@@ -361,7 +361,8 @@ copy_msg_convert( int in_cr, int out_cr,
+ 				goto nloop;
+ 			}
+ 		}
+-		/* invalid message */
++		warn( "Warning: message %u from %s has incomplete header; skipping.\n",
++		      vars->msg->uid, str_ms[1-t] );
+ 		free( in_buf );
+ 		return 0;
+ 	  oke:
+@@ -382,6 +383,12 @@ copy_msg_convert( int in_cr, int out_cr,
+ 	}
+ 
+ 	vars->data.len = in_len + extra;
++	if ((uint)vars->data.len > INT_MAX) {
++		warn( "Warning: message %u from %s is too big after conversion; skipping.\n",
++		      vars->msg->uid, str_ms[1-t] );
++		free( in_buf );
++		return 0;
++	}
+ 	char *out_buf = vars->data.data = nfmalloc( vars->data.len );
+ 	idx = 0;
+ 	if (vars->srec) {
+@@ -423,9 +430,7 @@ msg_fetched( int sts, void *aux )
+ 		scr = (svars->drv[1-t]->get_caps( svars->ctx[1-t] ) / DRV_CRLF) & 1;
+ 		tcr = (svars->drv[t]->get_caps( svars->ctx[t] ) / DRV_CRLF) & 1;
+ 		if (vars->srec || scr != tcr) {
+-			if (!copy_msg_convert( scr, tcr, vars )) {
+-				warn( "Warning: message %u from %s has incomplete header.\n",
+-				      vars->msg->uid, str_ms[1-t] );
++			if (!copy_msg_convert( scr, tcr, vars, t )) {
+ 				vars->cb( SYNC_NOGOOD, 0, vars );
+ 				return;
+ 			}
diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series
--- isync-1.3.0/debian/patches/series	2021-06-07 21:03:56.000000000 +0200
+++ isync-1.3.0/debian/patches/series	2021-12-05 21:17:18.000000000 +0100
@@ -1,3 +1,4 @@
 01_sni.patch
 reject-funny-mailbox-names--1.3.patch
 fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
+CVE-2021-3657-buffer-overflows-on-big-1.3.patch

Reply to:

References:
- Bug#1001180: bullseye-pu: package isync/1.3.0-2.2+deb11u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: please stop block janus from entering testing
Next by Date: Bug#993100: bullseye-pu: package udisks2/2.9.2-2+deb11u1
Previous by thread: Bug#1001180: bullseye-pu: package isync/1.3.0-2.2+deb11u1
Next by thread: Bug#1001180: bullseye-pu: package isync/1.3.0-2.2+deb11u1
Index(es):
- Date
- Thread