Hello community, here is the log from the commit of package cyrus-imapd for openSUSE:11.4 checked in at Wed Oct 5 16:59:05 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/cyrus-imapd/cyrus-imapd.changes 2011-09-09 09:41:31.000000000 +0200 +++ 11.4/cyrus-imapd/cyrus-imapd.changes 2011-10-05 09:14:05.000000000 +0200 @@ -1,0 +2,9 @@ +Tue Oct 4 08:53:22 UTC 2011 - [email protected] + +- Malicious NNTP clients could bypass the authentication and + execute commands that normally require authentication. + (bnc#719998, CVE-2011-3372) +- Fixed a potential DoS bug, when server-side threading is used + (bnc#718428, CVE-2011-3481) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- cyrus-imapd_nntp-auth-vuln.dif cyrus-imapd_references_header-dos.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cyrus-imapd.spec ++++++ --- /var/tmp/diff_new_pack.qrU65Q/_old 2011-10-05 16:58:14.000000000 +0200 +++ /var/tmp/diff_new_pack.qrU65Q/_new 2011-10-05 16:58:14.000000000 +0200 @@ -57,7 +57,7 @@ %endif Summary: The Cyrus IMAP and POP Mail Server Version: 2.3.16 -Release: 16.<RELEASE19> +Release: 16.<RELEASE21> Source: %{prjname}-%{version}.tar.bz2 Source1: cyrus-imapd-rc.tar.gz Source2: DB_CONFIG @@ -75,6 +75,8 @@ Patch19: cyrus-imapd-libdb-4_8.patch Patch20: cyrus-imapd-STARTTLS-plaintext-command-injection.dif Patch21: cyrus-imapd_nntp-overflow.dif +Patch22: cyrus-imapd_references_header-dos.dif +Patch23: cyrus-imapd_nntp-auth-vuln.dif %if %{with_kolab} # KOLAB_cyrus-imapd patches are maintained at @@ -189,6 +191,8 @@ %patch19 -p1 %patch20 -p2 %patch21 -p1 +%patch22 -p1 +%patch23 -p1 %if %{with_kolab} %patch100 -p1 ++++++ cyrus-imapd_nntp-auth-vuln.dif ++++++ Index: cyrus-imapd-2.3.16/imap/nntpd.c =================================================================== --- cyrus-imapd-2.3.16.orig/imap/nntpd.c +++ cyrus-imapd-2.3.16/imap/nntpd.c @@ -887,7 +887,7 @@ static void cmdloop(void) /* Only Authinfo/Capabilities/Check/Head/Help/Ihave/List Active/ Mode/Quit/Starttls/Stat/Takethis allowed when not logged in */ - if (!nntp_userid && !allowanonymous && + if (!nntp_authstate && !allowanonymous && !strchr("ACHILMQST", cmd.s[0])) goto nologin; switch (cmd.s[0]) { @@ -928,7 +928,7 @@ static void cmdloop(void) "501 Unrecognized AUTHINFO command\r\n"); } else if (!(nntp_capa & MODE_READ)) goto noperm; - else if (!nntp_userid && !allowanonymous) goto nologin; + else if (!nntp_authstate && !allowanonymous) goto nologin; else if (!strcmp(cmd.s, "Article")) { char curgroup[MAX_MAILBOX_BUFFER], *msgid; @@ -1084,7 +1084,7 @@ static void cmdloop(void) cmd_help(); } else if (!(nntp_capa & MODE_READ)) goto noperm; - else if (!nntp_userid && !allowanonymous) goto nologin; + else if (!nntp_authstate && !allowanonymous) goto nologin; else if (!strcmp(cmd.s, "Hdr")) { char curgroup[MAX_MAILBOX_BUFFER], *msgid; @@ -1168,7 +1168,7 @@ static void cmdloop(void) cmd_list(arg1.len ? arg1.s : NULL, arg2.len ? arg2.s : NULL); } else if (!(nntp_capa & MODE_READ)) goto noperm; - else if (!nntp_userid && !allowanonymous) goto nologin; + else if (!nntp_authstate && !allowanonymous) goto nologin; else if (!strcmp(cmd.s, "Last")) { if (c == '\r') c = prot_getc(nntp_in); if (c != '\n') goto extraargs; @@ -1445,7 +1445,7 @@ static void cmdloop(void) mode = ARTICLE_STAT; goto article; } - else if (!nntp_userid && !allowanonymous) goto nologin; + else if (!nntp_authstate && !allowanonymous) goto nologin; else if (!strcmp(cmd.s, "Slave")) { if (c == '\r') c = prot_getc(nntp_in); if (c != '\n') goto extraargs; @@ -1813,7 +1813,7 @@ static int open_group(char *name, int ha if (newserver) { /* remote group */ backend_next = proxy_findserver(newserver, &nntp_protocol, - nntp_userid ? nntp_userid : "anonymous", + nntp_authstate ? nntp_userid : "anonymous", &backend_cached, &backend_current, NULL, nntp_in); if (!backend_next) return IMAP_SERVER_UNAVAILABLE; @@ -1881,7 +1881,7 @@ static void cmd_capabilities(char *keywo if (mechcount) prot_printf(nntp_out, "%s", mechlist); /* add the reader capabilities/extensions */ - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "READER\r\n"); prot_printf(nntp_out, "POST\r\n"); if (config_getswitch(IMAPOPT_ALLOWNEWNEWS)) @@ -1899,7 +1899,7 @@ static void cmd_capabilities(char *keywo /* add the LIST variants */ prot_printf(nntp_out, "LIST ACTIVE%s\r\n", - ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) ? + ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) ? " HEADERS NEWSGROUPS OVERVIEW.FMT" : ""); prot_printf(nntp_out, ".\r\n"); @@ -2333,7 +2333,7 @@ static void cmd_help(void) { prot_printf(nntp_out, "100 Supported commands:\r\n"); - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "\tARTICLE [ message-id | number ]\r\n" "\t\tRetrieve entirety of the specified article.\r\n"); } @@ -2348,7 +2348,7 @@ static void cmd_help(void) prot_printf(nntp_out, "\tAUTHINFO PASS password\r\n" "\t\tPresent clear-text password for authentication.\r\n"); } - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "\tBODY [ message-id | number ]\r\n" "\t\tRetrieve body of the specified article.\r\n"); } @@ -2358,7 +2358,7 @@ static void cmd_help(void) prot_printf(nntp_out, "\tCHECK message-id\r\n" "\t\tCheck if the server wants the specified article.\r\n"); } - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "\tDATE\r\n" "\t\tRequest the current server UTC date and time.\r\n"); prot_printf(nntp_out, "\tGROUP group\r\n" @@ -2375,13 +2375,13 @@ static void cmd_help(void) prot_printf(nntp_out, "\tIHAVE message-id\r\n" "\t\tPresent/transfer the specified article to the server.\r\n"); } - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "\tLAST\r\n" "\t\tSelect the previous article.\r\n"); } prot_printf(nntp_out, "\tLIST [ ACTIVE wildmat ]\r\n" "\t\tList the (subset of) valid newsgroups.\r\n"); - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "\tLIST HEADERS [ MSGID | RANGE ]\r\n" "\t\tList the headers and metadata items available via HDR.\r\n"); prot_printf(nntp_out, "\tLIST NEWSGROUPS [wildmat]\r\n" @@ -2414,7 +2414,7 @@ static void cmd_help(void) prot_printf(nntp_out, "\tTAKETHIS message-id\r\n" "\t\tTransfer the specified article to the server.\r\n"); } - if ((nntp_capa & MODE_READ) && (nntp_userid || allowanonymous)) { + if ((nntp_capa & MODE_READ) && (nntp_authstate || allowanonymous)) { prot_printf(nntp_out, "\tXPAT header message-id|range wildmat\r\n" "\t\tList the specified article(s) in which the contents\r\n" "\t\tof the specified header/metadata matches the wildmat.\r\n"); @@ -2484,7 +2484,7 @@ void list_proxy(char *server, void *data char *result; be = proxy_findserver(server, &nntp_protocol, - nntp_userid ? nntp_userid : "anonymous", + nntp_authstate ? nntp_userid : "anonymous", &backend_cached, &backend_current, NULL, nntp_in); if (!be) return; @@ -2621,7 +2621,8 @@ static void cmd_list(char *arg1, char *a strcpy(pattern, newsprefix); strcat(pattern, "*"); list_cb(NULL, 0, 0, NULL); - mboxlist_findall(NULL, pattern, 0, nntp_userid, nntp_authstate, + mboxlist_findall(NULL, pattern, 0, + nntp_authstate ? nntp_userid : NULL, nntp_authstate, list_cb, &lrock); /* proxy to the backends */ @@ -2645,7 +2646,7 @@ static void cmd_list(char *arg1, char *a prot_printf(nntp_out, "502 Permission denied\r\n"); return; } - else if (!nntp_userid && !allowanonymous) { + else if (!nntp_authstate && !allowanonymous) { prot_printf(nntp_out, "480 Authentication required\r\n"); return; } @@ -2682,7 +2683,8 @@ static void cmd_list(char *arg1, char *a strcpy(pattern, newsprefix); strcat(pattern, "*"); list_cb(NULL, 0, 0, NULL); - mboxlist_findall(NULL, pattern, 0, nntp_userid, nntp_authstate, + mboxlist_findall(NULL, pattern, 0, + nntp_authstate ? nntp_userid : NULL, nntp_authstate, list_cb, &lrock); /* proxy to the backends */ @@ -3245,7 +3247,7 @@ static int deliver_remote(message_data_t char buf[4096]; be = proxy_findserver(d->server, &nntp_protocol, - nntp_userid ? nntp_userid : "anonymous", + nntp_authstate ? nntp_userid : "anonymous", &backend_cached, &backend_current, NULL, nntp_in); if (!be) return IMAP_SERVER_UNAVAILABLE; @@ -3323,7 +3325,8 @@ static int deliver(message_data_t *msg) } r = append_setup(&as, rcpt, MAILBOX_FORMAT_NORMAL, - nntp_userid, nntp_authstate, ACL_POST, 0); + nntp_authstate ? nntp_userid : NULL, + nntp_authstate, ACL_POST, 0); if (!r) { prot_rewind(msg->data); ++++++ cyrus-imapd_references_header-dos.dif ++++++ Index: cyrus-imapd-2.3.17/imap/index.c =================================================================== --- cyrus-imapd-2.3.17.orig/imap/index.c +++ cyrus-imapd-2.3.17/imap/index.c @@ -192,6 +192,7 @@ static void index_thread_orderedsubj(uns static void index_thread_sort(Thread *root, struct sortcrit *sortcrit); static void index_thread_print(Thread *threads, int usinguid); static void index_thread_ref(unsigned *msgno_list, int nmsg, int usinguid); +static void massage_header(char *hdr); /* NOTE: Make sure these are listed in CAPABILITY_STRING */ static const struct thread_algorithm thread_algs[] = { @@ -4132,6 +4133,7 @@ void index_get_ids(MsgData *msgdata, cha /* allocate some space for refs */ msgdata->ref = (char **) xmalloc(refsize * sizeof(char *)); /* find references */ + massage_header(buf); refstr = buf; while ((ref = find_msgid(refstr, &refstr)) != NULL) { /* reallocate space for this msgid if necessary */ continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
