Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package isync for openSUSE:Factory checked in at 2021-03-02 12:34:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/isync (Old) and /work/SRC/openSUSE:Factory/.isync.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "isync" Tue Mar 2 12:34:56 2021 rev:7 rq:875977 version:1.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/isync/isync.changes 2021-01-06 19:57:19.785193608 +0100 +++ /work/SRC/openSUSE:Factory/.isync.new.2378/isync.changes 2021-03-02 12:46:26.260406399 +0100 @@ -1,0 +2,10 @@ +Sun Feb 28 10:54:30 UTC 2021 - Martin Hauke <[email protected]> + +- Update to version 1.3.5 (boo#1182488) + * This is a security release that fixes CVE-2021-20247. +- Update to version 1.3.4 + This is a maintenance release that contains exactly one change: + * fixed regression in handling NAMESPACE 'INBOX.', introduced in + v1.3.2 + +------------------------------------------------------------------- Old: ---- isync-1.3.3.tar.gz isync-1.3.3.tar.gz.asc New: ---- isync-1.3.5.tar.gz isync-1.3.5.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ isync.spec ++++++ --- /var/tmp/diff_new_pack.QnZEHq/_old 2021-03-02 12:46:26.764406835 +0100 +++ /var/tmp/diff_new_pack.QnZEHq/_new 2021-03-02 12:46:26.764406835 +0100 @@ -17,7 +17,7 @@ Name: isync -Version: 1.3.3 +Version: 1.3.5 Release: 0 Summary: Utility to synchronize IMAP mailboxes with local maildir folders License: GPL-2.0-only ++++++ isync-1.3.3.tar.gz -> isync-1.3.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/ChangeLog new/isync-1.3.5/ChangeLog --- old/isync-1.3.3/ChangeLog 2020-08-04 14:44:26.000000000 +0200 +++ new/isync-1.3.5/ChangeLog 2021-02-21 21:25:34.000000000 +0100 @@ -1,3 +1,38 @@ +2021-02-21 20:24 Oswald Buddenhagen <[email protected]> + + * configure.ac: + + bump version + +2021-02-14 19:42 Oswald Buddenhagen <[email protected]> + + * src/drv_imap.c: + + CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB + + in particular, '..' in the name could be used to escape the Path/Inbox + of a Maildir Store, which could be exploited for stealing or deleting + data, or staging a (mild) DoS attack. + +2021-02-03 13:44 Oswald Buddenhagen <[email protected]> + + * configure.ac: + + bump version + +2021-02-03 13:25 Oswald Buddenhagen <[email protected]> + + * src/drv_imap.c: + + unbreak handling of 'INBOX.' NAMESPACE again + + INBOX matching must not prevent prefix (namespace) stripping, as INBOX + may be the namespace. + + amends 04fc586e7. + + REFMAIL: [email protected] + 2020-08-04 12:44 Oswald Buddenhagen <[email protected]> * configure.ac: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/Makefile.in new/isync-1.3.5/Makefile.in --- old/isync-1.3.3/Makefile.in 2020-08-04 14:44:24.000000000 +0200 +++ new/isync-1.3.5/Makefile.in 2021-02-21 21:25:33.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. @@ -229,6 +229,8 @@ DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -746,7 +748,7 @@ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/aclocal.m4 new/isync-1.3.5/aclocal.m4 --- old/isync-1.3.3/aclocal.m4 2020-08-04 14:44:23.000000000 +0200 +++ new/isync-1.3.5/aclocal.m4 2021-02-21 21:25:32.000000000 +0100 @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.16.2 -*- Autoconf -*- +# generated automatically by aclocal 1.16.3 -*- Autoconf -*- # Copyright (C) 1996-2020 Free Software Foundation, Inc. @@ -311,7 +311,7 @@ [am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.16.2], [], +m4_if([$1], [1.16.3], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -327,7 +327,7 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.16.2])dnl +[AM_AUTOMAKE_VERSION([1.16.3])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) @@ -979,12 +979,7 @@ [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/configure new/isync-1.3.5/configure --- old/isync-1.3.3/configure 2020-08-04 14:44:23.000000000 +0200 +++ new/isync-1.3.5/configure 2021-02-21 21:25:33.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for isync 1.3.3. +# Generated by GNU Autoconf 2.69 for isync 1.3.5. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='isync' PACKAGE_TARNAME='isync' -PACKAGE_VERSION='1.3.3' -PACKAGE_STRING='isync 1.3.3' +PACKAGE_VERSION='1.3.5' +PACKAGE_STRING='isync 1.3.5' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1297,7 +1297,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures isync 1.3.3 to adapt to many kinds of systems. +\`configure' configures isync 1.3.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1364,7 +1364,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of isync 1.3.3:";; + short | recursive ) echo "Configuration of isync 1.3.5:";; esac cat <<\_ACEOF @@ -1470,7 +1470,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -isync configure 1.3.3 +isync configure 1.3.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1835,7 +1835,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by isync $as_me 1.3.3, which was +It was created by isync $as_me 1.3.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2390,12 +2390,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -2700,7 +2695,7 @@ # Define the identity of the package. PACKAGE='isync' - VERSION='1.3.3' + VERSION='1.3.5' cat >>confdefs.h <<_ACEOF @@ -5740,7 +5735,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by isync $as_me 1.3.3, which was +This file was extended by isync $as_me 1.3.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -5806,7 +5801,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -isync config.status 1.3.3 +isync config.status 1.3.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/configure.ac new/isync-1.3.5/configure.ac --- old/isync-1.3.3/configure.ac 2020-08-04 14:44:15.000000000 +0200 +++ new/isync-1.3.5/configure.ac 2021-02-21 21:24:44.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT([isync], [1.3.3]) +AC_INIT([isync], [1.3.5]) AC_CONFIG_HEADERS([autodefs.h]) AM_INIT_AUTOMAKE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/isync.spec new/isync-1.3.5/isync.spec --- old/isync-1.3.3/isync.spec 2020-08-04 14:44:25.000000000 +0200 +++ new/isync-1.3.5/isync.spec 2021-02-21 21:25:34.000000000 +0100 @@ -1,10 +1,10 @@ Summary: Utility to synchronize IMAP mailboxes with local maildir folders Name: isync -Version: 1.3.3 +Version: 1.3.5 Release: 1 License: GPL Group: Applications/Internet -Source: isync-1.3.3.tar.gz +Source: isync-1.3.5.tar.gz URL: http://isync.sf.net/ Packager: Oswald Buddenhagen <[email protected]> BuildRoot: /var/tmp/%{name}-buildroot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/src/Makefile.in new/isync-1.3.5/src/Makefile.in --- old/isync-1.3.3/src/Makefile.in 2020-08-04 14:44:24.000000000 +0200 +++ new/isync-1.3.5/src/Makefile.in 2021-02-21 21:25:33.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/src/compat/Makefile.in new/isync-1.3.5/src/compat/Makefile.in --- old/isync-1.3.3/src/compat/Makefile.in 2020-08-04 14:44:24.000000000 +0200 +++ new/isync-1.3.5/src/compat/Makefile.in 2021-02-21 21:25:33.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/isync-1.3.3/src/drv_imap.c new/isync-1.3.5/src/drv_imap.c --- old/isync-1.3.3/src/drv_imap.c 2020-08-04 14:42:42.000000000 +0200 +++ new/isync-1.3.5/src/drv_imap.c 2021-02-15 16:58:41.000000000 +0100 @@ -1258,23 +1258,25 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) { string_list_t *narg; - char *arg; + char *arg, c; int argl, l; if (!is_atom( list )) { error( "IMAP error: malformed LIST response\n" ); + listbad: free_list( list ); return LIST_BAD; } arg = list->val; argl = list->len; - if (is_inbox( ctx, arg, argl )) { - // The server might be weird and have a non-uppercase INBOX. It - // may legitimately do so, but we need the canonical spelling. - memcpy( arg, "INBOX", 5 ); - } else if ((l = strlen( ctx->prefix ))) { - if (!starts_with( arg, argl, ctx->prefix, l )) + if ((l = strlen( ctx->prefix ))) { + if (!starts_with( arg, argl, ctx->prefix, l )) { + if (is_inbox( ctx, arg, argl )) { + // INBOX and its subfolders bypass the namespace. + goto inbox; + } goto skip; + } arg += l; argl -= l; // A folder named "INBOX" would be indistinguishable from the @@ -1286,6 +1288,14 @@ warn( "IMAP warning: ignoring INBOX in %s\n", ctx->prefix ); goto skip; } + } else if (is_inbox( ctx, arg, argl )) { + inbox: + // The server might be weird and have a non-uppercase INBOX. It + // may legitimately do so, but we need the canonical spelling. + // Note that we do that only after prefix matching, under the + // assumption that the NAMESPACE (or Path) matches the + // capitalization of LIST. + memcpy( arg, "INBOX", 5 ); } if (argl >= 5 && !memcmp( arg + argl - 5, ".lock", 5 )) /* workaround broken servers */ goto skip; @@ -1293,6 +1303,34 @@ warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg ); goto skip; } + // Validate the normalized name. Technically speaking, we could tolerate + // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir + // driver, but there isn't really a legitimate reason for these being present. + for (const char *p = narg->string, *sp = p;;) { + if (!(c = *p) || c == '/') { + uint pcl = (uint)(p - sp); + if (!pcl) { + error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string ); + free( narg ); + goto skip; + } + if (pcl == 1 && sp[0] == '.') { + error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string ); + free( narg ); + goto skip; + } + if (pcl == 2 && sp[0] == '.' && sp[1] == '.') { + error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string ); + free( narg ); + goto listbad; + } + if (!c) + break; + sp = ++p; + } else { + ++p; + } + } narg->next = ctx->boxes; ctx->boxes = narg; skip:
