[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109735: marked as done (unblock: sope/5.12.1-2)

Your message dated Wed, 23 Jul 2025 18:45:18 +0000
with message-id <E1ueeSs-00CeLf-14@respighi.debian.org>
and subject line unblock sope
has caused the Debian Bug report #1109735,
regarding unblock: sope/5.12.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109735: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109735
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: sope@packages.debian.org
Control: affects -1 + src:sope
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package sope

[ Reason ]

This upload includes the proposed patch for CVE-2025-53603,
plus cherry-picks two of the three commits that were included
in the upstream 5.12.2 release, and that fix issues reported
by 5.12.x users.

[ Impact ]

An easy-to-trigger DoS condition won't be patched, and
some non-compliant SMTP implementations won't be able to
speak to SOGo. Additionally, a one-liner auth optimization
for OpenID users won't be present.

[ Tests ]
None, just manual testing.

[ Risks ]

The CVE fix has not been accepted by upstream yet, so I don't
know if they will accept it as is or they will pick another
solution.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock sope/5.12.1-2

diff -Nru sope-5.12.1/debian/changelog sope-5.12.1/debian/changelog
--- sope-5.12.1/debian/changelog	2025-05-04 23:13:11.000000000 +0200
+++ sope-5.12.1/debian/changelog	2025-07-22 22:34:25.000000000 +0200
@@ -1,3 +1,13 @@
+sope (5.12.1-2) unstable; urgency=medium
+
+  * [CVE-2025-53603] Add proposed patch to fix DoS-enabling segfault
+    (closes: #1108798).
+  * Cherry-pick two additional fixes from the 5.12.2 release.
+    - allow SMTP replies that don't adhere to the SMTP spec
+    - don't check for the auth bearer token
+
+ -- Jordi Mallach <jordi@debian.org>  Tue, 22 Jul 2025 22:34:25 +0200
+
 sope (5.12.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru sope-5.12.1/debian/patches/git_CVE-2025-53603.patch sope-5.12.1/debian/patches/git_CVE-2025-53603.patch
--- sope-5.12.1/debian/patches/git_CVE-2025-53603.patch	1970-01-01 01:00:00.000000000 +0100
+++ sope-5.12.1/debian/patches/git_CVE-2025-53603.patch	2025-07-07 15:31:00.000000000 +0200
@@ -0,0 +1,143 @@
+From 280104e45c20519ac4849ebf8bca114d91383543 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <source@stbuehler.de>
+Date: Sun, 29 Jun 2025 10:21:32 +0200
+Subject: [PATCH] NGHashMap: keep root->last consistent to fix segfault adding
+ duplicate key after copy
+
+segfault because root->last is NULL:
+    #0 -[NGMutableHashMap addObjects:count:forKey:]
+    #1 -[NGMutableHashMap addObject:forKey:]
+    #2 -[NGHttpRequest(WOSupport) _decodeFormContentURLParameters:]
+    #3 -[NGHttpRequest(WOSupport) formParameters]
+
+when POST and GET set the same parameter; trigger like this:
+
+    curl -d 'x=' 'https://.../SOGo/?x='
+---
+ sope-core/NGExtensions/NGHashMap.m | 33 ++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/sope-core/NGExtensions/NGHashMap.m b/sope-core/NGExtensions/NGHashMap.m
+index 8b05ebb..f8df722 100644
+--- a/sope-core/NGExtensions/NGHashMap.m
++++ b/sope-core/NGExtensions/NGHashMap.m
+@@ -216,6 +216,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+   NSEnumerator *keys    = nil;
+   id            key     = nil;
+   LList *list    = NULL;
++  LList *root    = NULL;
+   LList *newList = NULL;
+   LList *oldList = NULL;
+ 
+@@ -223,7 +224,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+     keys  = [_hashMap keyEnumerator];
+     while ((key = [keys nextObject])) {
+       list           = [_hashMap __structForKey:key];
+-      newList        = initLListElement(list->object,NULL);
++      root = newList = initLListElement(list->object,NULL);
+       newList->count = list->count;
+       NSMapInsert(self->table,key,newList);
+       while (list->next) {
+@@ -232,6 +233,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+         newList       = initLListElement(list->object,NULL);
+         oldList->next = newList;
+       }
++      root->last = newList;
+     }
+   }
+   return self;
+@@ -257,6 +259,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+       pred       = element;
+     }
+     root->count = i;
++    root->last  = pred;
+     NSMapInsert(self->table,_key, root);
+   }
+   NSAssert(self->table, @"missing table for hashmap ..");
+@@ -712,6 +715,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ {
+   id            object  = nil;
+   LList *root    = NULL;
++  LList *insert  = NULL;
+   LList *element = NULL;
+   unsigned i = 0;
+   
+@@ -728,10 +732,13 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+     }
+ 
+     root        = initLListElement(_objects[0], NULL);
++    insert = root;
+     root->count = _count;
++    // set root->last to last inserted element later
+     NSMapInsert(self->table, _key, root);
+   }
+   else {
++    insert = root;
+     if (!(_index < root->count)) {
+       [NSException raise:NSRangeException
+                   format:@"index %"PRIuPTR" out of range in map 0x%p length %d",
+@@ -741,30 +748,38 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+     
+     root->count += _count;
+     if (_index == 0) {
++      // move current data at pos 0 to new element (prepending
++      // a new element would require replacing entry in NSMapTable)
+       element         = initLListElement(_objects[0],NULL);
+       object          = element->object;
+       element->next   = root->next;
+       element->object = root->object;      
+       root->object    = object;
+       root->next      = element;
++      if (root->last == root)
++        root->last = element; // inserted at pos 0 before the only item
+     }
+     else {
+       while (--_index)
+-        root = root->next;
++        insert = insert->next;
++      if (root->last == insert)
++        root->last = NULL; // set to last inserted element later
+ 
+       element       = initLListElement(_objects[0], NULL);
+-      element->next = root->next;
+-      root->next    = element;
+-      root          = root->next;
++      element->next = insert->next;
++      insert->next    = element;
++      insert          = insert->next;
+     }
+   }
+   for (i = 1; i < _count; i++) {
+     checkForAddErrorMessage(self, _objects[i], _key);
+     element       = initLListElement(_objects[i], NULL);
+-    element->next = root->next;
+-    root->next    = element;
+-    root          = element;
++    element->next = insert->next;
++    insert->next    = element;
++    insert          = element;
+   }
++  if (root->last == NULL)
++    root->last = insert;
+ }
+ 
+ /* adding objects */
+@@ -864,6 +879,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+       root->next   = list->next;
+       root->object = list->object;
+       root->count--;
++      // cleanup root->last (could be list!) after loop below
+       if (list) free(list);
+       list = NULL;
+     }
+@@ -880,6 +896,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+         list = oldList;
+       }
+     }
++    root->last = list; // list->next is NULL, i.e. it is the last
+     root->count -= cnt;
+   }
+ }
+-- 
+2.50.0
+
diff -Nru sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch
--- sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch	1970-01-01 01:00:00.000000000 +0100
+++ sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch	2025-07-22 22:34:25.000000000 +0200
@@ -0,0 +1,19 @@
+commit 2bec3d956c766b9cfbb37bef1f1868cea1293974
+Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date:   Wed Jun 11 12:53:22 2025 +0200
+
+    fix(proxy): don't check bearer token auth
+
+diff --git a/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m b/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m
+index c0ee61d..a758311 100644
+--- a/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m
++++ b/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m
+@@ -327,7 +327,7 @@ static int logCounter = 0;
+           
+     auth = [[request valuesOfHeaderFieldWithName:@"authorization"]
+                      nextObject];
+-    if (auth) {
++    if (auth && ![[auth lowercaseString] hasPrefix: @"bearer"]) {
+       if (![auth isKindOfClass:[NGHttpCredentials class]]) {
+         auth =
+           [NGHttpCredentials credentialsWithString:[auth stringValue]];
diff -Nru sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch
--- sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch	1970-01-01 01:00:00.000000000 +0100
+++ sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch	2025-07-22 22:34:25.000000000 +0200
@@ -0,0 +1,30 @@
+commit 927aaeadcff6a55416e1ef29faa7bbe90d63daea
+Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date:   Tue Jun 17 15:28:53 2025 +0200
+
+    fix(smtp): allow smtp replies with only 3 chars (being the number code) instead of 4 (code + space)
+
+diff --git a/sope-mime/NGMail/NGSmtpClient.m b/sope-mime/NGMail/NGSmtpClient.m
+index fa0cfb3..c6ec39f 100644
+--- a/sope-mime/NGMail/NGSmtpClient.m
++++ b/sope-mime/NGMail/NGSmtpClient.m
+@@ -478,6 +478,19 @@
+   NGSmtpReplyCode code  = -1;
+ 
+   line = [self->text readLineAsString];
++  if([line length] == 3) {
++    //Invalid but can happen with some smtp server that does not follow correctly the smtp specs
++    //and only send the code number instead of the code + a space.
++    code = [[line substringToIndex:3] intValue];
++    if(code == 0)
++    {
++      NSLog(@"SMTP: reply has invalid format and is not a code of 3 chars (%@)", line);
++      return nil;
++    }
++    desc = [NSMutableString stringWithCapacity:[line length]];
++    return [NGSmtpResponse responseWithCode:code text:desc];
++  }
++
+   if ([line length] < 4) {
+     NSLog(@"SMTP: reply has invalid format (%@)", line);
+     return nil;
diff -Nru sope-5.12.1/debian/patches/series sope-5.12.1/debian/patches/series
--- sope-5.12.1/debian/patches/series	2025-03-24 14:14:00.000000000 +0100
+++ sope-5.12.1/debian/patches/series	2025-07-22 22:34:25.000000000 +0200
@@ -1,3 +1,6 @@
 0001-do-not-build-json.patch
 0002-Do-not-build-xmlrpc-and-stxsaxdriver.patch
 0003-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch
+git_CVE-2025-53603.patch
+git_dont_check_bearer_token.patch
+git_smtp_replies_with_3_chars.patch

--- End Message ---
--- Begin Message --- 
Unblocked sope.

--- End Message ---
Reply to: