On Mon, Jan 22, 2024 at 04:48:35PM +0100, Salvatore Bonaccorso wrote:
Hi,
On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote:
Hi Alberto, hi Nilesh,
On Sun, Jan 21, 2024 at 05:03:42PM +0000, Alberto Bertogli wrote:
> On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote:
> > On Sun, Jan 21, 2024 at 03:37:11PM +0000, Alberto Bertogli wrote:
> > > There are 3 patches in this release: patches 1 and 2 are minor (but
> > > important) adjustments to tests, so that patch 3 that contains the fix can
> > > be tested at all.
> > >
> > > Applying just patch 3 would be nominally "minimal", but also fail
> > > tests.
> > >
> > > I would argue this is the minimal set of patches to fix the security
> > > release.
> > >
> > > That said, of course that is subjective, other alternative patches could
be
> > > done instead; and I'm sure there's a lot of Debian-specific criteria,
> > > history, and processes that can be applied to make these decisions, which
I
> > > lack.
> > >
> > > So I think at this point I rather leave this stable update to the Debian
> > > experts (which I am definitely not :).
> > >
> > > The patches are there, and please if you have any questions I can help
with
> > > as upstream capacity, just let me know!
> >
> > As far as I understood and looked, there are just 3 patches in this update
which
> > seem to be needed to fix the SMTP smuggling vulnerability, right?
>
> That is correct.
>
> I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on
> top of 1.11:
>
> - Patch #1: test: Verify mailbox delivery in minor dialogs test
>
https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04
> - Patch #2: test: Make mail_diff more strict
>
https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54
> - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents
>
https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801
>
> Patches #1 and #2 change only tests and testing infrastructure, so that the
> patch #3 (which fixes the security vulnerability) can have tests to confirm
> it works.
>
> Those commits in Salsa come directly from upstream's 1.11.1, you can confirm
> that the commit id is the same:
> https://github.com/albertito/chasquid/commits/v1.11.1/
>
> This is what I consider a "reasonable minimum" set of changes to fix the
> vulnerability. Any less would mean failing or reduced tests for the fixes,
> which I don't think that is a good tradeoff.
>
> I hope this explanation helps!
>
>
> > Seems I got a few things mixed up and maybe offered wrong advice in my
previous
> > email -- sorry!
>
> No worries! These things get confusing :S
>
>
> > I've CC'ed security team as per the documented procedure[1], and will wait
for their
> > reply on this matter, and we can take it forward for stable uploads from
there.
> >
> > [1]:
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
>
> Thank you, please let me know if there are any other questions or
> clarification needed!
Thanks for the details. Can you fix this issue in the upcoming point
releases? They are planned to be announced for the beginning of
february.
As there sees to be no CVE assigned for the issue in chasquid, I have
requested one from MITRE.
There is a CVE: CVE-2023-52354.
Great!
So what are the next steps here? Who needs to do what?
Sorry for the blunt question, I just don't know what happens next :)
Thank you!
Alberto
