Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2

To: Yadd <yadd@debian.org>, 988332@bugs.debian.org
Subject: Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
From: Sebastian Ramacher <sramacher@debian.org>
Date: Mon, 10 May 2021 22:01:11 +0200
Message-id: <[🔎] YJmRBx9tu48RfOwv@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 988332@bugs.debian.org
In-reply-to: <[🔎] 162066781787.2009269.16578261466812776110.reportbug@deb007.xnr.fr>
References: <[🔎] 162066781787.2009269.16578261466812776110.reportbug@deb007.xnr.fr> <[🔎] 162066781787.2009269.16578261466812776110.reportbug@deb007.xnr.fr>

Control: tags -1 moreinfo confirmed

On 2021-05-10 19:30:17, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: security@debian.org
> 
> Please unblock package cyrus-imapd

Please go ahead with the upload and remove the moreinfo tag once the
package is available in unstable.

> 
> [ Reason ]
> Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated
> users to bypass intended access restrictions on server annotations and
> consequently cause replication to stall.
> 
> [ Impact ]
> Security issue (not yet tagged by Security Team
> 
> [ Tests ]
> No changes in test
> 
> [ Risks ]
> Patch seems trivial, just a better permission check
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing
> 
> Cheers,
> Yadd (from hospital ;-))

Get well soon

Cheers

> 
> unblock cyrus-imapd/3.2.6-2

> diff --git a/debian/changelog b/debian/changelog
> index bc383a9c..150929df 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +cyrus-imapd (3.2.6-2) unstable; urgency=medium
> +
> +  * Update gbp.conf for Bullseye branch
> +  * annotate: don't allow everyone to write shared server entries (Closes: CVE-2021-32056)
> +
> + -- Yadd <yadd@debian.org>  Mon, 10 May 2021 19:24:53 +0200
> +
>  cyrus-imapd (3.2.6-1) unstable; urgency=medium
>  
>    * New upstream version 3.2.6
> diff --git a/debian/gbp.conf b/debian/gbp.conf
> index c747fcb7..ee87ac45 100644
> --- a/debian/gbp.conf
> +++ b/debian/gbp.conf
> @@ -1,7 +1,7 @@
>  [DEFAULT]
> -debian-branch = master
> +debian-branch = bullseye
>  debian-tag = debian/%(version)s
> -upstream-branch = upstream
> +upstream-branch = upstream-bullseye
>  upstream-tag = upstream/%(version)s
>  pristine-tar = True
>  
> diff --git a/debian/patches/CVE-2021-32056.patch b/debian/patches/CVE-2021-32056.patch
> new file mode 100644
> index 00000000..9a50abe1
> --- /dev/null
> +++ b/debian/patches/CVE-2021-32056.patch
> @@ -0,0 +1,50 @@
> +Description: annotate: don't allow everyone to write shared server entries
> +Author: Bron Gondwana <brong@fastmail.fm>
> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41
> +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056
> +Forwarded: not-needed
> +Reviewed-By: Yadd <yadd@debian.org>
> +Last-Update: 2021-05-10
> +
> +--- a/imap/annotate.c
> ++++ b/imap/annotate.c
> +@@ -2788,15 +2788,20 @@
> + 
> +     keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key));
> + 
> +-    if (mailbox) {
> +-        struct annotate_metadata oldmdata;
> +-        r = read_old_value(d, key, keylen, &oldval, &oldmdata);
> +-        if (r) goto out;
> ++    struct annotate_metadata oldmdata;
> ++    r = read_old_value(d, key, keylen, &oldval, &oldmdata);
> ++    if (r) goto out;
> ++
> ++    /* if the value is identical, don't touch the mailbox */
> ++    if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
> ++        goto out;
> + 
> +-        /* if the value is identical, don't touch the mailbox */
> +-        if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
> +-            goto out;
> ++    if (!maywrite) {
> ++        r = IMAP_PERMISSION_DENIED;
> ++        if (r) goto out;
> ++    }
> + 
> ++    if (mailbox) {
> +         if (!ignorequota) {
> +             quota_t qdiffs[QUOTA_NUMRESOURCES] = QUOTA_DIFFS_DONTCARE_INITIALIZER;
> +             qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len;
> +@@ -2804,11 +2809,6 @@
> +             if (r) goto out;
> +         }
> + 
> +-        if (!maywrite) {
> +-            r = IMAP_PERMISSION_DENIED;
> +-            if (r) goto out;
> +-        }
> +-
> +         /* do the annot-changed here before altering the DB */
> +         mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, silent);
> + 
> diff --git a/debian/patches/series b/debian/patches/series
> index 3fab10aa..27fc0ec9 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -7,3 +7,4 @@
>  0011-Fix-extra-libpci-in-SNMP_LIBS.patch
>  0012-Use-UnicodeData.txt-from-system.patch
>  0018-increase-test-timeout.patch
> +CVE-2021-32056.patch


-- 
Sebastian Ramacher

Reply to:

References:
- Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
  - From: Yadd <yadd@debian.org>

Prev by Date: Processed: Re: Bug#988072: release.debian.org: unblick (pre-approval): hivex/1.3.20-1
Next by Date: Processed: Re: Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Previous by thread: Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Next by thread: Processed: Re: Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Index(es):
- Date
- Thread