Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package cyrus-imapd Hi all, Cyrus-Imapd is vulnerable to remote arbitrary code execution via CalDAV (CVE-2019-11356, tagged high). Fix is very trivial. The proposed debdiff includes also a missing dependency that closes #872238. Cheers, Xavier unblock cyrus-imapd/3.0.8-6 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru cyrus-imapd-3.0.8/debian/changelog cyrus-imapd-3.0.8/debian/changelog --- cyrus-imapd-3.0.8/debian/changelog 2019-05-16 11:42:29.000000000 +0200 +++ cyrus-imapd-3.0.8/debian/changelog 2019-06-07 06:41:23.000000000 +0200 @@ -1,3 +1,14 @@ +cyrus-imapd (3.0.8-6) unstable; urgency=medium + + [ Anthony Prades ] + * Add cyrus-clients dependency on cyrus-murder (Closes: #872238) + + [ Xavier Guimard ] + * Add patch to fix arbitrary code execution via CalDAV + (Closes: CVE-2019-11356) + + -- Xavier Guimard <[email protected]> Fri, 07 Jun 2019 06:41:23 +0200 + cyrus-imapd (3.0.8-5) unstable; urgency=medium [ Xavier Guimard ] diff -Nru cyrus-imapd-3.0.8/debian/control cyrus-imapd-3.0.8/debian/control --- cyrus-imapd-3.0.8/debian/control 2019-05-16 09:41:45.000000000 +0200 +++ cyrus-imapd-3.0.8/debian/control 2019-06-07 06:41:23.000000000 +0200 @@ -208,6 +208,7 @@ Depends: cyrus-common (= ${binary:Version}), cyrus-imapd (= ${binary:Version}), cyrus-pop3d (= ${binary:Version}), + cyrus-clients (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: Cyrus mail system - proxies and aggregator diff -Nru cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch --- cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch 1970-01-01 01:00:00.000000000 +0100 +++ cyrus-imapd-3.0.8/debian/patches/CVE-2019-11356.patch 2019-06-07 06:41:23.000000000 +0200 @@ -0,0 +1,30 @@ +Description: Fix for CVE-2019-11356 +Author: Ken Murchison <[email protected]> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/a5779db8 +Bug: https://security-tracker.debian.org/tracker/CVE-2019-11356 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <[email protected]> +Last-Update: 2019-06-07 + +--- a/imap/httpd.c ++++ b/imap/httpd.c +@@ -2202,7 +2202,7 @@ + memset(&tm, 0, sizeof(struct tm)); + tm.tm_isdst = -1; + sscanf(time, "%02d:%02d:%02d", &tm.tm_hour, &tm.tm_min, &tm.tm_sec); +- sscanf(date, "%s %2d %4d", month, &tm.tm_mday, &tm.tm_year); ++ sscanf(date, "%3s %2d %4d", month, &tm.tm_mday, &tm.tm_year); + tm.tm_year -= 1900; + for (tm.tm_mon = 0; tm.tm_mon < 12; tm.tm_mon++) { + if (!strcmp(month, monthname[tm.tm_mon])) break; +--- a/imap/ical_support.c ++++ b/imap/ical_support.c +@@ -458,7 +458,7 @@ + + /* Check if this is an empty property error */ + if (sscanf(errstr, +- "No value for %s property", propname) == 1) { ++ "No value for %255s property", propname) == 1) { + /* Empty LOCATION is OK */ + if (!strcasecmp(propname, "LOCATION")) continue; + if (!strcasecmp(propname, "COMMENT")) continue; diff -Nru cyrus-imapd-3.0.8/debian/patches/series cyrus-imapd-3.0.8/debian/patches/series --- cyrus-imapd-3.0.8/debian/patches/series 2019-05-16 11:26:33.000000000 +0200 +++ cyrus-imapd-3.0.8/debian/patches/series 2019-06-07 06:41:23.000000000 +0200 @@ -21,3 +21,4 @@ 0021-support-mailboxes-with-spaces.patch 0022-close-backups-on-failure.patch 0023-fix-memory-leak-on-ldap-failure.patch +CVE-2019-11356.patch
