--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-aiosmtpd@packages.debian.org, dale@dalerichards.net
Control: affects -1 + src:python-aiosmtpd
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This update resolves two security vulnerabilities present in
the version of python-aiosmtpd in Bookworm (1.4.3-1.1):
* CVE-2024-27305 - SMTP smuggling due to poor handling of
non-standard line endings (Bug: #1066820)
* CVE-2024-34083 - STARTTLS unencrypted command injection
(Bug: #1072119)
These have both been deemed unworthy of a DSA, but the
Security Team have suggested we update this package for the
next Bookworm point release.
[ Impact ]
Without this update, Debian 12 systems running aiosmtpd would
remain vulnerable to the two CVEs listed above.
[ Tests ]
The upstream package includes a comprehensive suite of tests,
all of which are passing with this new version. Additionally,
I have installed the new package on a Bookworm test box and
performed manual testing, confirming that the package's main
functionality works and that the two vulnerabilties are
correctly resolved.
[ Risks ]
The code changes are minor, and bring aiosmtpd into compliance
with the relevant sections of RFC 3207[1] and RFC 5321[2].
The update can therefore be considered low risk, and will not
cause an issue with any RFC-compliant SMTP client or MTA.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* CVE-2024-27305 - Patch aiosmtpd/smtp.py to accept only <CRLF>
as a line terminator, as mandated by RFC 5321[2]. This patch
has been adapted from the fix committed upstream[3].
* CVE-2024-34083 - Patch aiosmtpd/smtp.py to discard any
remaining unencrypted data in the input buffer upon completion
of a STARTTLS handshake, as mandated by RFC 3207[1]. This patch
has been adapted from the fix committed upstream[4].
[ Other info ]
References:
[1] https://datatracker.ietf.org/doc/html/rfc3207#page-7
[2] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
[3] https://github.com/aio-
libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
[4] https://github.com/aio-
libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
diff -Nru python-aiosmtpd-1.4.3/debian/changelog python-aiosmtpd-1.4.3/debian/changelog
--- python-aiosmtpd-1.4.3/debian/changelog 2023-05-25 15:09:53.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/changelog 2024-06-07 18:11:07.000000000 +0100
@@ -1,3 +1,13 @@
+python-aiosmtpd (1.4.3-1.1+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * CVE-2024-27305 - SMTP smuggling due to poor handling of
+ non-standard line endings (Closes: #1066820)
+ * CVE-2024-34083 - STARTTLS unencrypted command injection
+ (Closes: #1072119)
+
+ -- Dale Richards <dale@dalerichards.net> Fri, 07 Jun 2024 18:11:07 +0100
+
python-aiosmtpd (1.4.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch
--- python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch 2024-06-07 18:11:07.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2024-34083 - STARTTLS unencrypted command injection
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -504,6 +504,9 @@
+ self._reader._transport = transport
+ self._writer._transport = transport
+ self.transport = transport
++ # Discard any leftover unencrypted data
++ # See https://tools.ietf.org/html/rfc3207#page-7
++ self._reader._buffer.clear() # type: ignore[attr-defined]
+ # Do SSL certificate checking as rfc3207 part 4.1 says. Why is
+ # _extra a protected attribute?
+ self.session.ssl = self._tls_protocol._extra
diff -Nru python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch
--- python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch 2024-06-07 18:11:07.000000000 +0100
@@ -0,0 +1,51 @@
+Description: CVE-2024-27305 - SMTP smuggling
+ SMTP smuggling due to poor handling of
+ non-standard line endings
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -86,7 +86,7 @@
+ EMPTY_BARR = bytearray()
+ EMPTYBYTES = b''
+ MISSING = _Missing()
+-NEWLINE = '\n'
++NEWLINE = '\r\n'
+ VALID_AUTHMECH = re.compile(r"[A-Z0-9_-]+\Z")
+
+ # https://tools.ietf.org/html/rfc3207.html#page-3
+@@ -1375,9 +1375,10 @@
+ # Since eof_received cancels this coroutine,
+ # readuntil() can never raise asyncio.IncompleteReadError.
+ try:
+- line: bytes = await self._reader.readuntil()
++ # https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
++ line: bytes = await self._reader.readuntil(b'\r\n')
+ log.debug('DATA readline: %s', line)
+- assert line.endswith(b'\n')
++ assert line.endswith(b'\r\n')
+ except asyncio.CancelledError:
+ # The connection got reset during the DATA command.
+ log.info('Connection lost during DATA')
+@@ -1394,7 +1395,7 @@
+ data *= 0
+ # Drain the stream anyways
+ line = await self._reader.read(e.consumed)
+- assert not line.endswith(b'\n')
++ assert not line.endswith(b'\r\n')
+ # A lone dot in a line signals the end of DATA.
+ if not line_fragments and line == b'.\r\n':
+ break
+@@ -1406,7 +1407,7 @@
+ # Discard data immediately to prevent memory pressure
+ data *= 0
+ line_fragments.append(line)
+- if line.endswith(b'\n'):
++ if line.endswith(b'\r\n'):
+ # Record data only if state is "NOMINAL"
+ if state == _DataState.NOMINAL:
+ line = EMPTY_BARR.join(line_fragments)
diff -Nru python-aiosmtpd-1.4.3/debian/patches/series python-aiosmtpd-1.4.3/debian/patches/series
--- python-aiosmtpd-1.4.3/debian/patches/series 2023-05-25 15:09:53.000000000 +0100
+++ python-aiosmtpd-1.4.3/debian/patches/series 2024-06-07 18:11:07.000000000 +0100
@@ -2,3 +2,5 @@
0002-Drop-sphinx-autofixture-extension-requirement.patch
0003-Remove-imported-images-from-the-web-for-privacy.patch
0004-Replace-a-dynamic-date-in-copyright-by-a-static-one.patch
+0005-cve-2024-34083.patch
+0006-cve-2024-27305.patch
--- End Message ---