[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1073202: marked as done (bookworm-pu: package python-aiosmtpd/1.4.3-1.1+deb12u1)

Your message dated Sat, 29 Jun 2024 10:46:21 +0000
with message-id <E1sNVb3-002bjK-4S@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1073202,
regarding bookworm-pu: package python-aiosmtpd/1.4.3-1.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073202
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-aiosmtpd@packages.debian.org, dale@dalerichards.net
Control: affects -1 + src:python-aiosmtpd
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
This update resolves two security vulnerabilities present in
the version of python-aiosmtpd in Bookworm (1.4.3-1.1):

  * CVE-2024-27305 - SMTP smuggling due to poor handling of
    non-standard line endings (Bug: #1066820)
  * CVE-2024-34083 - STARTTLS unencrypted command injection
    (Bug: #1072119)

These have both been deemed unworthy of a DSA, but the
Security Team have suggested we update this package for the
next Bookworm point release.

[ Impact ]
Without this update, Debian 12 systems running aiosmtpd would
remain vulnerable to the two CVEs listed above.

[ Tests ]
The upstream package includes a comprehensive suite of tests,
all of which are passing with this new version. Additionally,
I have installed the new package on a Bookworm test box and
performed manual testing, confirming that the package's main
functionality works and that the two vulnerabilties are
correctly resolved.

[ Risks ]
The code changes are minor, and bring aiosmtpd into compliance
with the relevant sections of RFC 3207[1] and RFC 5321[2].
The update can therefore be considered low risk, and will not
cause an issue with any RFC-compliant SMTP client or MTA.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * CVE-2024-27305 - Patch aiosmtpd/smtp.py to accept only <CRLF>
    as a line terminator, as mandated by RFC 5321[2]. This patch
    has been adapted from the fix committed upstream[3].
  * CVE-2024-34083 - Patch aiosmtpd/smtp.py to discard any
    remaining unencrypted data in the input buffer upon completion
    of a STARTTLS handshake, as mandated by RFC 3207[1]. This patch
    has been adapted from the fix committed upstream[4].

[ Other info ]

References:

[1] https://datatracker.ietf.org/doc/html/rfc3207#page-7
[2] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
[3] https://github.com/aio-
libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
[4] https://github.com/aio-
libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda

diff -Nru python-aiosmtpd-1.4.3/debian/changelog python-aiosmtpd-1.4.3/debian/changelog
--- python-aiosmtpd-1.4.3/debian/changelog	2023-05-25 15:09:53.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/changelog	2024-06-07 18:11:07.000000000 +0100
@@ -1,3 +1,13 @@
+python-aiosmtpd (1.4.3-1.1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-27305 - SMTP smuggling due to poor handling of
+    non-standard line endings (Closes: #1066820)
+  * CVE-2024-34083 - STARTTLS unencrypted command injection
+      (Closes: #1072119)
+
+ -- Dale Richards <dale@dalerichards.net>  Fri, 07 Jun 2024 18:11:07 +0100
+
 python-aiosmtpd (1.4.3-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch
--- python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch	2024-06-07 18:11:07.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2024-34083 - STARTTLS unencrypted command injection
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -504,6 +504,9 @@
+             self._reader._transport = transport
+             self._writer._transport = transport
+             self.transport = transport
++            # Discard any leftover unencrypted data
++            # See https://tools.ietf.org/html/rfc3207#page-7
++            self._reader._buffer.clear()  # type: ignore[attr-defined]
+             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
+             # _extra a protected attribute?
+             self.session.ssl = self._tls_protocol._extra
diff -Nru python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch
--- python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch	2024-06-07 18:11:07.000000000 +0100
@@ -0,0 +1,51 @@
+Description: CVE-2024-27305 - SMTP smuggling
+ SMTP smuggling due to poor handling of
+ non-standard line endings
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -86,7 +86,7 @@
+ EMPTY_BARR = bytearray()
+ EMPTYBYTES = b''
+ MISSING = _Missing()
+-NEWLINE = '\n'
++NEWLINE = '\r\n'
+ VALID_AUTHMECH = re.compile(r"[A-Z0-9_-]+\Z")
+ 
+ # https://tools.ietf.org/html/rfc3207.html#page-3
+@@ -1375,9 +1375,10 @@
+             # Since eof_received cancels this coroutine,
+             # readuntil() can never raise asyncio.IncompleteReadError.
+             try:
+-                line: bytes = await self._reader.readuntil()
++                # https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
++                line: bytes = await self._reader.readuntil(b'\r\n')
+                 log.debug('DATA readline: %s', line)
+-                assert line.endswith(b'\n')
++                assert line.endswith(b'\r\n')
+             except asyncio.CancelledError:
+                 # The connection got reset during the DATA command.
+                 log.info('Connection lost during DATA')
+@@ -1394,7 +1395,7 @@
+                 data *= 0
+                 # Drain the stream anyways
+                 line = await self._reader.read(e.consumed)
+-                assert not line.endswith(b'\n')
++                assert not line.endswith(b'\r\n')
+             # A lone dot in a line signals the end of DATA.
+             if not line_fragments and line == b'.\r\n':
+                 break
+@@ -1406,7 +1407,7 @@
+                 # Discard data immediately to prevent memory pressure
+                 data *= 0
+             line_fragments.append(line)
+-            if line.endswith(b'\n'):
++            if line.endswith(b'\r\n'):
+                 # Record data only if state is "NOMINAL"
+                 if state == _DataState.NOMINAL:
+                     line = EMPTY_BARR.join(line_fragments)
diff -Nru python-aiosmtpd-1.4.3/debian/patches/series python-aiosmtpd-1.4.3/debian/patches/series
--- python-aiosmtpd-1.4.3/debian/patches/series	2023-05-25 15:09:53.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/patches/series	2024-06-07 18:11:07.000000000 +0100
@@ -2,3 +2,5 @@
 0002-Drop-sphinx-autofixture-extension-requirement.patch
 0003-Remove-imported-images-from-the-web-for-privacy.patch
 0004-Replace-a-dynamic-date-in-copyright-by-a-static-one.patch
+0005-cve-2024-34083.patch
+0006-cve-2024-27305.patch

--- End Message ---
--- Begin Message --- 
Version: 12.6

The upload requested in this bug has been released as part of 12.6.

--- End Message ---
Reply to: