Control: tags -1 moreinfo confirmed On 2021-05-10 19:30:17, Yadd wrote: > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected] > > Please unblock package cyrus-imapd
Please go ahead with the upload and remove the moreinfo tag once the package is available in unstable. > > [ Reason ] > Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated > users to bypass intended access restrictions on server annotations and > consequently cause replication to stall. > > [ Impact ] > Security issue (not yet tagged by Security Team > > [ Tests ] > No changes in test > > [ Risks ] > Patch seems trivial, just a better permission check > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > Cheers, > Yadd (from hospital ;-)) Get well soon Cheers > > unblock cyrus-imapd/3.2.6-2 > diff --git a/debian/changelog b/debian/changelog > index bc383a9c..150929df 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +cyrus-imapd (3.2.6-2) unstable; urgency=medium > + > + * Update gbp.conf for Bullseye branch > + * annotate: don't allow everyone to write shared server entries (Closes: > CVE-2021-32056) > + > + -- Yadd <[email protected]> Mon, 10 May 2021 19:24:53 +0200 > + > cyrus-imapd (3.2.6-1) unstable; urgency=medium > > * New upstream version 3.2.6 > diff --git a/debian/gbp.conf b/debian/gbp.conf > index c747fcb7..ee87ac45 100644 > --- a/debian/gbp.conf > +++ b/debian/gbp.conf > @@ -1,7 +1,7 @@ > [DEFAULT] > -debian-branch = master > +debian-branch = bullseye > debian-tag = debian/%(version)s > -upstream-branch = upstream > +upstream-branch = upstream-bullseye > upstream-tag = upstream/%(version)s > pristine-tar = True > > diff --git a/debian/patches/CVE-2021-32056.patch > b/debian/patches/CVE-2021-32056.patch > new file mode 100644 > index 00000000..9a50abe1 > --- /dev/null > +++ b/debian/patches/CVE-2021-32056.patch > @@ -0,0 +1,50 @@ > +Description: annotate: don't allow everyone to write shared server entries > +Author: Bron Gondwana <[email protected]> > +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41 > +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056 > +Forwarded: not-needed > +Reviewed-By: Yadd <[email protected]> > +Last-Update: 2021-05-10 > + > +--- a/imap/annotate.c > ++++ b/imap/annotate.c > +@@ -2788,15 +2788,20 @@ > + > + keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key)); > + > +- if (mailbox) { > +- struct annotate_metadata oldmdata; > +- r = read_old_value(d, key, keylen, &oldval, &oldmdata); > +- if (r) goto out; > ++ struct annotate_metadata oldmdata; > ++ r = read_old_value(d, key, keylen, &oldval, &oldmdata); > ++ if (r) goto out; > ++ > ++ /* if the value is identical, don't touch the mailbox */ > ++ if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, > value->s, value->len))) > ++ goto out; > + > +- /* if the value is identical, don't touch the mailbox */ > +- if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, > value->s, value->len))) > +- goto out; > ++ if (!maywrite) { > ++ r = IMAP_PERMISSION_DENIED; > ++ if (r) goto out; > ++ } > + > ++ if (mailbox) { > + if (!ignorequota) { > + quota_t qdiffs[QUOTA_NUMRESOURCES] = > QUOTA_DIFFS_DONTCARE_INITIALIZER; > + qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len; > +@@ -2804,11 +2809,6 @@ > + if (r) goto out; > + } > + > +- if (!maywrite) { > +- r = IMAP_PERMISSION_DENIED; > +- if (r) goto out; > +- } > +- > + /* do the annot-changed here before altering the DB */ > + mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, > silent); > + > diff --git a/debian/patches/series b/debian/patches/series > index 3fab10aa..27fc0ec9 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -7,3 +7,4 @@ > 0011-Fix-extra-libpci-in-SNMP_LIBS.patch > 0012-Use-UnicodeData.txt-from-system.patch > 0018-increase-test-timeout.patch > +CVE-2021-32056.patch -- Sebastian Ramacher
