Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package isync for openSUSE:Factory checked in at 2022-01-27 23:16:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/isync (Old) and /work/SRC/openSUSE:Factory/.isync.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "isync" Thu Jan 27 23:16:55 2022 rev:10 rq:949393 version:1.4.4 Changes: -------- --- /work/SRC/openSUSE:Factory/isync/isync.changes 2021-08-11 11:47:51.293700475 +0200 +++ /work/SRC/openSUSE:Factory/.isync.new.1898/isync.changes 2022-01-27 23:18:39.474277200 +0100 @@ -1,0 +2,11 @@ +Wed Jan 5 09:19:39 UTC 2022 - Dirk M??ller <[email protected]> + +- update to 1.4.4 (bsc#1193376, bsc#1192985, CVE-2021-3657, CVE-2021-44143): + * fixed CVE-2021-3657: multiple buffer overflows on excessively large + IMAP literals + * fixed CVE-2021-44143: buffer overflow on header-less messages + * fixed crash on certain malformed messages in Maildirs + * fixed somewhat spurious notice about conflicting changes on + messages marked as deleted + +------------------------------------------------------------------- Old: ---- isync-1.4.3.tar.gz isync-1.4.3.tar.gz.asc New: ---- isync-1.4.4.tar.gz isync-1.4.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ isync.spec ++++++ --- /var/tmp/diff_new_pack.v2Oi4c/_old 2022-01-27 23:18:40.070273082 +0100 +++ /var/tmp/diff_new_pack.v2Oi4c/_new 2022-01-27 23:18:40.074273055 +0100 @@ -1,7 +1,7 @@ # # spec file for package isync # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: isync -Version: 1.4.3 +Version: 1.4.4 Release: 0 Summary: Utility to synchronize IMAP mailboxes with local maildir folders License: GPL-2.0-only ++++++ isync-1.4.3.tar.gz -> isync-1.4.4.tar.gz ++++++ ++++ 6504 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/ChangeLog new/isync-1.4.4/ChangeLog --- old/isync-1.4.3/ChangeLog 2021-07-29 13:14:32.000000000 +0200 +++ new/isync-1.4.4/ChangeLog 2021-12-03 11:56:27.000000000 +0100 @@ -1,3 +1,123 @@ +2021-11-25 16:04 Oswald Buddenhagen <[email protected]> + + * configure.ac: + + bump version + +2021-11-26 10:53 Oswald Buddenhagen <[email protected]> + + * configure.ac: + + modernize configure.ac + +2021-12-01 10:25 Oswald Buddenhagen <[email protected]> + + * src/sync.c: + + don't complain about concurrent flagging as deleted + + the result of propagating a deletion is flagging as deleted, so shut up + if the only remote change is exactly that. + +2021-11-26 22:05 Oswald Buddenhagen <[email protected]> + + * src/sync.c: + + fix read beyond end of input in copy_msg_convert() + + the input isn't necessarily null-terminated (it currently is for imap, + but not for maildir), so if the message ended somewhere within the + header field name, we'd read beyond its end, which theoretically could + cause a crash. no other adverse effects could result, as we'd stop + processing such a broken message right afterwards. + + amends 70bad661. + +2021-11-24 17:24 Oswald Buddenhagen <[email protected]> + + * src/drv_imap.c: + + reject unreasonably long mailbox names from IMAP LIST + + this wasn't really a security problem, as the name mapping we actually + do does not change the string length, and the iteration was already + safe after the literal length fix, but it's still better to catch weird + input. + +2021-11-24 16:51 Oswald Buddenhagen <[email protected]> + + * src/sync.c: + + reject messages that grow too large due to conversion + + that shouldn't really be a problem, as we have 2GB of headroom, and most + growth would happen when sending an all-newlines message from maildir to + imap (due to CR additions), which is mostly non-critical. but better + safe than sorry. + +2021-11-24 16:46 Oswald Buddenhagen <[email protected]> + + * src/sync.c: + + report conversion errors directly in copy_msg_convert() + + that makes it easier to report various conditions without introducing + separate error codes. + +2021-11-24 16:22 Oswald Buddenhagen <[email protected]> + + * src/drv_maildir.c: + + deal with oversized messages in maildirs + + don't try to read messages > 2G, as that will only lead to trouble down + the line. + + this wouldn't have worked on linux anyway (we read in one chunk, and + that is limited to (2^31 - 2^12) on all architectures), but on + platforms were big reads work, this was a security problem if one + synchronized other users' maildirs. + + as a minor fix on the side, we now also clip the reported message size, + so MaxSize works for excessively big messages. + +2021-11-24 18:21 Oswald Buddenhagen <[email protected]> + + * src/drv_imap.c: + + CVE-2021-3657: reject excessively large IMAP literals + + we didn't limit the 32-bit size of literals so far, which, given that we + use int-sized lengths & offsets, permitted all kinds of buffer + overflows. malicious/compromised servers may have been able to exploit + this. actual email senders would be constrained by size limits for + delivered mails, and to cause more than a crash they'd have to predict + the exact size of the final message. + + we now limit to 2GB, which, given that we use unsigned ints since + e2d3b4d55 (v1.4.0), gives the handlers downstream plenty of headroom. + + an alternative would have been using 64-bit offsets, but this seems like + major overkill, even if IMAP4rev2 recently mandated it (we talk only + IMAP4rev1, so we can ignore it). + +2021-11-22 19:57 Oswald Buddenhagen <[email protected]> + + * src/sync.c: + + CVE-2021-44143: don't overflow heap on messages without headers + + when a broken/compromised/malicious server gives us a message that + starts with an empty line, we'd enter the path for inserting a pristine + placeholder subject, for which we unfortunately didn't actually allocate + space (unless MaxSize is in use and the message exceeds it). + + note that this cannot be triggered by merely receiving a crafted mail + with no headers (yes, it's actually possible to send such a thing), as + the delivery of mails adds plenty of headers. + + amends 70bad661. + 2021-07-29 11:14 Oswald Buddenhagen <[email protected]> * configure.ac: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/autodefs.h.in new/isync-1.4.4/autodefs.h.in --- old/isync-1.4.3/autodefs.h.in 2021-07-29 13:14:32.000000000 +0200 +++ new/isync-1.4.4/autodefs.h.in 2021-12-03 11:56:25.000000000 +0100 @@ -24,9 +24,6 @@ /* Define to 1 if you have the macOS Keychain Services API. */ #undef HAVE_MACOS_KEYCHAIN -/* Define to 1 if you have the <memory.h> header file. */ -#undef HAVE_MEMORY_H - /* Define to 1 if you have the `memrchr' function. */ #undef HAVE_MEMRCHR @@ -36,6 +33,9 @@ /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H +/* Define to 1 if you have the <stdio.h> header file. */ +#undef HAVE_STDIO_H + /* Define to 1 if you have the <stdlib.h> header file. */ #undef HAVE_STDLIB_H @@ -87,7 +87,9 @@ /* Define to the version of this package. */ #undef PACKAGE_VERSION -/* Define to 1 if you have the ANSI C header files. */ +/* Define to 1 if all of the C90 standard headers exist (not just the ones + required in a freestanding environment). This macro is provided for + backward compatibility; new code need not use it. */ #undef STDC_HEADERS /* if Berkeley DB should be used */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/configure.ac new/isync-1.4.4/configure.ac --- old/isync-1.4.3/configure.ac 2021-07-29 13:13:58.000000000 +0200 +++ new/isync-1.4.4/configure.ac 2021-12-03 11:56:16.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT([isync], [1.4.3]) +AC_INIT([isync], [1.4.4]) AC_CONFIG_HEADERS([autodefs.h]) AC_CANONICAL_TARGET @@ -62,8 +62,8 @@ fi AC_CACHE_CHECK([whether strftime supports %z], ob_cv_strftime_z, - [AC_TRY_RUN( -[#include <time.h> + [AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include <time.h> #include <string.h> int main(void) @@ -73,7 +73,7 @@ strftime(buf, sizeof(buf), "%z", localtime(&t)); return !(buf[0] == '+' || buf[0] == '-'); } -], [ob_cv_strftime_z=yes], [ob_cv_strftime_z=no], [ob_cv_strftime_z="yes (assumed)"])]) +]])], [ob_cv_strftime_z=yes], [ob_cv_strftime_z=no], [ob_cv_strftime_z="yes (assumed)"])]) if test "x$ob_cv_strftime_z" = x"no"; then AC_MSG_ERROR([libc lacks necessary feature]) fi @@ -96,7 +96,7 @@ have_ssl_paths= AC_ARG_WITH(ssl, - AC_HELP_STRING([--with-ssl[=PATH]], [where to look for SSL [detect]]), + AS_HELP_STRING([--with-ssl[=PATH]], [where to look for SSL [detect]]), [ob_cv_with_ssl=$withval]) if test "x$ob_cv_with_ssl" != xno; then case $ob_cv_with_ssl in @@ -193,12 +193,13 @@ [ac_cv_berkdb4=no sav_LIBS=$LIBS LIBS="$LIBS -ldb" - AC_TRY_LINK([#include <db.h>], - [DB *db; - db_create(&db, 0, 0); - db->truncate(db, 0, 0, 0); - db->open(db, 0, "foo", "foo", DB_HASH, DB_CREATE, 0)], - [ac_cv_berkdb4=yes]) + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [#include <db.h>], + [DB *db; + db_create(&db, 0, 0); + db->truncate(db, 0, 0, 0); + db->open(db, 0, "foo", "foo", DB_HASH, DB_CREATE, 0); + ])], [ac_cv_berkdb4=yes], []) LIBS=$sav_LIBS ]) if test "x$ac_cv_berkdb4" = xyes; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/isync.spec new/isync-1.4.4/isync.spec --- old/isync-1.4.3/isync.spec 2021-07-29 13:14:31.000000000 +0200 +++ new/isync-1.4.4/isync.spec 2021-12-03 11:56:25.000000000 +0100 @@ -1,10 +1,10 @@ Summary: Utility to synchronize IMAP mailboxes with local maildir folders Name: isync -Version: 1.4.3 +Version: 1.4.4 Release: 1 License: GPL Group: Applications/Internet -Source: isync-1.4.3.tar.gz +Source: isync-1.4.4.tar.gz URL: http://isync.sf.net/ Packager: Oswald Buddenhagen <[email protected]> BuildRoot: /var/tmp/%{name}-buildroot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/src/drv_imap.c new/isync-1.4.4/src/drv_imap.c --- old/isync-1.4.3/src/drv_imap.c 2021-06-11 17:47:32.000000000 +0200 +++ new/isync-1.4.4/src/drv_imap.c 2021-12-03 11:56:16.000000000 +0100 @@ -877,6 +877,11 @@ bytes = (int)(cur->len = strtoul( s + 1, &s, 10 )); if (*s != '}' || *++s) goto bail; + if ((uint)bytes >= INT_MAX) { + error( "IMAP error: excessively large literal from %s " + "- THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", ctx->conn.name ); + goto bail; + } s = cur->val = nfmalloc( cur->len + 1 ); s[cur->len] = 0; @@ -1434,6 +1439,10 @@ } arg = list->val; argl = (int)list->len; + if (argl > 1000) { + warn( "IMAP warning: ignoring unreasonably long mailbox name '%.100s[...]'\n", arg ); + return LIST_OK; + } // The server might be weird and have a non-uppercase INBOX. It // may legitimately do so, but we need the canonical spelling. normalize_INBOX( ctx, arg, argl ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/src/drv_maildir.c new/isync-1.4.4/src/drv_maildir.c --- old/isync-1.4.3/src/drv_maildir.c 2021-07-29 13:12:45.000000000 +0200 +++ new/isync-1.4.4/src/drv_maildir.c 2021-12-01 10:07:40.000000000 +0100 @@ -1168,7 +1168,8 @@ } goto retry; } - entry->size = (uint)st.st_size; + // The clipped value is good enough for MaxSize comparisons. + entry->size = st.st_size > UINT_MAX ? UINT_MAX : (uint)st.st_size; } if (want_tuid || want_msgid) { if (!(f = fopen( buf, "r" ))) { @@ -1563,12 +1564,17 @@ } } fstat( fd, &st ); + if (st.st_size > INT_MAX) { + error( "Maildir error: %s is too big", buf ); + goto mbad; + } data->len = st.st_size; if (data->date == -1) data->date = st.st_mtime; data->data = nfmalloc( data->len ); if (read( fd, data->data, data->len ) != data->len) { sys_error( "Maildir error: cannot read %s", buf ); + mbad: close( fd ); cb( DRV_MSG_BAD, aux ); return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/isync-1.4.3/src/sync.c new/isync-1.4.4/src/sync.c --- old/isync-1.4.3/src/sync.c 2021-02-21 21:11:58.000000000 +0100 +++ new/isync-1.4.4/src/sync.c 2021-12-03 11:56:16.000000000 +0100 @@ -406,11 +406,11 @@ } static int -copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars ) +copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t ) { char *in_buf = vars->data.data; uint in_len = vars->data.len; - uint idx = 0, sbreak = 0, ebreak = 0, break2 = 0; + uint idx = 0, sbreak = 0, ebreak = 0, break2 = UINT_MAX; uint lines = 0, hdr_crs = 0, bdy_crs = 0, app_cr = 0, extra = 0; uint add_subj = 0; @@ -428,9 +428,10 @@ if (!vars->minimal) goto oke; } else { - if (!break2 && vars->minimal && !strncasecmp( in_buf + start, "Subject:", 8 )) { + if (break2 == UINT_MAX && vars->minimal && + starts_with_upper( in_buf + start, (int)(in_len - start), "SUBJECT:", 8 )) { break2 = start + 8; - if (in_buf[break2] == ' ') + if (break2 < in_len && in_buf[break2] == ' ') break2++; } lines++; @@ -441,7 +442,7 @@ sbreak = ebreak = start; if (vars->minimal) { in_len = idx; - if (!break2) { + if (break2 == UINT_MAX) { break2 = start; add_subj = 1; } @@ -451,7 +452,8 @@ goto nloop; } } - /* invalid message */ + warn( "Warning: message %u from %s has incomplete header; skipping.\n", + vars->msg->uid, str_fn[1-t] ); free( in_buf ); return 0; oke: @@ -493,10 +495,16 @@ } vars->data.len = in_len + extra; + if (vars->data.len > INT_MAX) { + warn( "Warning: message %u from %s is too big after conversion; skipping.\n", + vars->msg->uid, str_fn[1-t] ); + free( in_buf ); + return 0; + } char *out_buf = vars->data.data = nfmalloc( vars->data.len ); idx = 0; if (vars->srec) { - if (break2 && break2 < sbreak) { + if (break2 < sbreak) { copy_msg_bytes( &out_buf, in_buf, &idx, break2, in_cr, out_cr ); memcpy( out_buf, dummy_pfx, strlen(dummy_pfx) ); out_buf += strlen(dummy_pfx); @@ -512,7 +520,7 @@ *out_buf++ = '\n'; idx = ebreak; - if (break2 >= sbreak) { + if (break2 != UINT_MAX && break2 >= sbreak) { copy_msg_bytes( &out_buf, in_buf, &idx, break2, in_cr, out_cr ); if (!add_subj) { memcpy( out_buf, dummy_pfx, strlen(dummy_pfx) ); @@ -556,9 +564,7 @@ scr = (svars->drv[1-t]->get_caps( svars->ctx[1-t] ) / DRV_CRLF) & 1; tcr = (svars->drv[t]->get_caps( svars->ctx[t] ) / DRV_CRLF) & 1; if (vars->srec || scr != tcr) { - if (!copy_msg_convert( scr, tcr, vars )) { - warn( "Warning: message %u from %s has incomplete header.\n", - vars->msg->uid, str_fn[1-t] ); + if (!copy_msg_convert( scr, tcr, vars, t )) { vars->cb( SYNC_NOGOOD, 0, vars ); return; } @@ -1690,7 +1696,11 @@ JLOG( "> %u %u 0", (srec->uid[F], srec->uid[N]), "near side expired, orphaning far side" ); srec->uid[N] = 0; } else { - if (srec->msg[t] && (srec->msg[t]->status & M_FLAGS) && srec->msg[t]->flags != srec->flags) + if (srec->msg[t] && (srec->msg[t]->status & M_FLAGS) && + // Ignore deleted flag, as that's what we'll change ourselves ... + (((srec->msg[t]->flags & ~F_DELETED) != (srec->flags & ~F_DELETED)) || + // ... except for undeletion, as that's the opposite. + (!(srec->msg[t]->flags & F_DELETED) && (srec->flags & F_DELETED)))) notice( "Notice: conflicting changes in (%u,%u)\n", srec->uid[F], srec->uid[N] ); if (svars->chan->ops[t] & OP_DELETE) { debug( " %sing delete\n", str_hl[t] );
