Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock X-Debbugs-Cc: [email protected]
Please unblock package cyrus-imapd [ Reason ] Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall. [ Impact ] Security issue (not yet tagged by Security Team [ Tests ] No changes in test [ Risks ] Patch seems trivial, just a better permission check [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd (from hospital ;-)) unblock cyrus-imapd/3.2.6-2
diff --git a/debian/changelog b/debian/changelog index bc383a9c..150929df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cyrus-imapd (3.2.6-2) unstable; urgency=medium + + * Update gbp.conf for Bullseye branch + * annotate: don't allow everyone to write shared server entries (Closes: CVE-2021-32056) + + -- Yadd <[email protected]> Mon, 10 May 2021 19:24:53 +0200 + cyrus-imapd (3.2.6-1) unstable; urgency=medium * New upstream version 3.2.6 diff --git a/debian/gbp.conf b/debian/gbp.conf index c747fcb7..ee87ac45 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,7 +1,7 @@ [DEFAULT] -debian-branch = master +debian-branch = bullseye debian-tag = debian/%(version)s -upstream-branch = upstream +upstream-branch = upstream-bullseye upstream-tag = upstream/%(version)s pristine-tar = True diff --git a/debian/patches/CVE-2021-32056.patch b/debian/patches/CVE-2021-32056.patch new file mode 100644 index 00000000..9a50abe1 --- /dev/null +++ b/debian/patches/CVE-2021-32056.patch @@ -0,0 +1,50 @@ +Description: annotate: don't allow everyone to write shared server entries +Author: Bron Gondwana <[email protected]> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41 +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-05-10 + +--- a/imap/annotate.c ++++ b/imap/annotate.c +@@ -2788,15 +2788,20 @@ + + keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key)); + +- if (mailbox) { +- struct annotate_metadata oldmdata; +- r = read_old_value(d, key, keylen, &oldval, &oldmdata); +- if (r) goto out; ++ struct annotate_metadata oldmdata; ++ r = read_old_value(d, key, keylen, &oldval, &oldmdata); ++ if (r) goto out; ++ ++ /* if the value is identical, don't touch the mailbox */ ++ if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len))) ++ goto out; + +- /* if the value is identical, don't touch the mailbox */ +- if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len))) +- goto out; ++ if (!maywrite) { ++ r = IMAP_PERMISSION_DENIED; ++ if (r) goto out; ++ } + ++ if (mailbox) { + if (!ignorequota) { + quota_t qdiffs[QUOTA_NUMRESOURCES] = QUOTA_DIFFS_DONTCARE_INITIALIZER; + qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len; +@@ -2804,11 +2809,6 @@ + if (r) goto out; + } + +- if (!maywrite) { +- r = IMAP_PERMISSION_DENIED; +- if (r) goto out; +- } +- + /* do the annot-changed here before altering the DB */ + mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, silent); + diff --git a/debian/patches/series b/debian/patches/series index 3fab10aa..27fc0ec9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ 0011-Fix-extra-libpci-in-SNMP_LIBS.patch 0012-Use-UnicodeData.txt-from-system.patch 0018-increase-test-timeout.patch +CVE-2021-32056.patch
