Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security@debian.org
Please unblock package cyrus-imapd
[ Reason ]
Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated
users to bypass intended access restrictions on server annotations and
consequently cause replication to stall.
[ Impact ]
Security issue (not yet tagged by Security Team
[ Tests ]
No changes in test
[ Risks ]
Patch seems trivial, just a better permission check
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd (from hospital ;-))
unblock cyrus-imapd/3.2.6-2
diff --git a/debian/changelog b/debian/changelog
index bc383a9c..150929df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cyrus-imapd (3.2.6-2) unstable; urgency=medium
+
+ * Update gbp.conf for Bullseye branch
+ * annotate: don't allow everyone to write shared server entries (Closes: CVE-2021-32056)
+
+ -- Yadd <yadd@debian.org> Mon, 10 May 2021 19:24:53 +0200
+
cyrus-imapd (3.2.6-1) unstable; urgency=medium
* New upstream version 3.2.6
diff --git a/debian/gbp.conf b/debian/gbp.conf
index c747fcb7..ee87ac45 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
[DEFAULT]
-debian-branch = master
+debian-branch = bullseye
debian-tag = debian/%(version)s
-upstream-branch = upstream
+upstream-branch = upstream-bullseye
upstream-tag = upstream/%(version)s
pristine-tar = True
diff --git a/debian/patches/CVE-2021-32056.patch b/debian/patches/CVE-2021-32056.patch
new file mode 100644
index 00000000..9a50abe1
--- /dev/null
+++ b/debian/patches/CVE-2021-32056.patch
@@ -0,0 +1,50 @@
+Description: annotate: don't allow everyone to write shared server entries
+Author: Bron Gondwana <brong@fastmail.fm>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-05-10
+
+--- a/imap/annotate.c
++++ b/imap/annotate.c
+@@ -2788,15 +2788,20 @@
+
+ keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key));
+
+- if (mailbox) {
+- struct annotate_metadata oldmdata;
+- r = read_old_value(d, key, keylen, &oldval, &oldmdata);
+- if (r) goto out;
++ struct annotate_metadata oldmdata;
++ r = read_old_value(d, key, keylen, &oldval, &oldmdata);
++ if (r) goto out;
++
++ /* if the value is identical, don't touch the mailbox */
++ if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
++ goto out;
+
+- /* if the value is identical, don't touch the mailbox */
+- if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
+- goto out;
++ if (!maywrite) {
++ r = IMAP_PERMISSION_DENIED;
++ if (r) goto out;
++ }
+
++ if (mailbox) {
+ if (!ignorequota) {
+ quota_t qdiffs[QUOTA_NUMRESOURCES] = QUOTA_DIFFS_DONTCARE_INITIALIZER;
+ qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len;
+@@ -2804,11 +2809,6 @@
+ if (r) goto out;
+ }
+
+- if (!maywrite) {
+- r = IMAP_PERMISSION_DENIED;
+- if (r) goto out;
+- }
+-
+ /* do the annot-changed here before altering the DB */
+ mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, silent);
+
diff --git a/debian/patches/series b/debian/patches/series
index 3fab10aa..27fc0ec9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
0011-Fix-extra-libpci-in-SNMP_LIBS.patch
0012-Use-UnicodeData.txt-from-system.patch
0018-increase-test-timeout.patch
+CVE-2021-32056.patch
Reply to: