Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Control: tags -1 moreinfo confirmed
On 2021-05-10 19:30:17, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: security@debian.org
>
> Please unblock package cyrus-imapd
Please go ahead with the upload and remove the moreinfo tag once the
package is available in unstable.
>
> [ Reason ]
> Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated
> users to bypass intended access restrictions on server annotations and
> consequently cause replication to stall.
>
> [ Impact ]
> Security issue (not yet tagged by Security Team
>
> [ Tests ]
> No changes in test
>
> [ Risks ]
> Patch seems trivial, just a better permission check
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> Cheers,
> Yadd (from hospital ;-))
Get well soon
Cheers
>
> unblock cyrus-imapd/3.2.6-2
> diff --git a/debian/changelog b/debian/changelog
> index bc383a9c..150929df 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +cyrus-imapd (3.2.6-2) unstable; urgency=medium
> +
> + * Update gbp.conf for Bullseye branch
> + * annotate: don't allow everyone to write shared server entries (Closes: CVE-2021-32056)
> +
> + -- Yadd <yadd@debian.org> Mon, 10 May 2021 19:24:53 +0200
> +
> cyrus-imapd (3.2.6-1) unstable; urgency=medium
>
> * New upstream version 3.2.6
> diff --git a/debian/gbp.conf b/debian/gbp.conf
> index c747fcb7..ee87ac45 100644
> --- a/debian/gbp.conf
> +++ b/debian/gbp.conf
> @@ -1,7 +1,7 @@
> [DEFAULT]
> -debian-branch = master
> +debian-branch = bullseye
> debian-tag = debian/%(version)s
> -upstream-branch = upstream
> +upstream-branch = upstream-bullseye
> upstream-tag = upstream/%(version)s
> pristine-tar = True
>
> diff --git a/debian/patches/CVE-2021-32056.patch b/debian/patches/CVE-2021-32056.patch
> new file mode 100644
> index 00000000..9a50abe1
> --- /dev/null
> +++ b/debian/patches/CVE-2021-32056.patch
> @@ -0,0 +1,50 @@
> +Description: annotate: don't allow everyone to write shared server entries
> +Author: Bron Gondwana <brong@fastmail.fm>
> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41
> +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056
> +Forwarded: not-needed
> +Reviewed-By: Yadd <yadd@debian.org>
> +Last-Update: 2021-05-10
> +
> +--- a/imap/annotate.c
> ++++ b/imap/annotate.c
> +@@ -2788,15 +2788,20 @@
> +
> + keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key));
> +
> +- if (mailbox) {
> +- struct annotate_metadata oldmdata;
> +- r = read_old_value(d, key, keylen, &oldval, &oldmdata);
> +- if (r) goto out;
> ++ struct annotate_metadata oldmdata;
> ++ r = read_old_value(d, key, keylen, &oldval, &oldmdata);
> ++ if (r) goto out;
> ++
> ++ /* if the value is identical, don't touch the mailbox */
> ++ if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
> ++ goto out;
> +
> +- /* if the value is identical, don't touch the mailbox */
> +- if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
> +- goto out;
> ++ if (!maywrite) {
> ++ r = IMAP_PERMISSION_DENIED;
> ++ if (r) goto out;
> ++ }
> +
> ++ if (mailbox) {
> + if (!ignorequota) {
> + quota_t qdiffs[QUOTA_NUMRESOURCES] = QUOTA_DIFFS_DONTCARE_INITIALIZER;
> + qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len;
> +@@ -2804,11 +2809,6 @@
> + if (r) goto out;
> + }
> +
> +- if (!maywrite) {
> +- r = IMAP_PERMISSION_DENIED;
> +- if (r) goto out;
> +- }
> +-
> + /* do the annot-changed here before altering the DB */
> + mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, silent);
> +
> diff --git a/debian/patches/series b/debian/patches/series
> index 3fab10aa..27fc0ec9 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -7,3 +7,4 @@
> 0011-Fix-extra-libpci-in-SNMP_LIBS.patch
> 0012-Use-UnicodeData.txt-from-system.patch
> 0018-increase-test-timeout.patch
> +CVE-2021-32056.patch
--
Sebastian Ramacher
Reply to: