Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package dovecot Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to processing of invalid external input. The issue is known as CVE-2019-10691[1], and was fixed in the Debian package by backporting the upstream fix. Full source debdiff attached. Regards, Apollon [1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html unblock dovecot/1:2.3.4.1-4
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog --- dovecot-2.3.4.1/debian/changelog 2019-03-25 23:06:01.000000000 +0200 +++ dovecot-2.3.4.1/debian/changelog 2019-04-18 10:21:19.000000000 +0300 @@ -1,3 +1,9 @@ +dovecot (1:2.3.4.1-4) unstable; urgency=high + + * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691) + + -- Apollon Oikonomopoulos <apoi...@debian.org> Thu, 18 Apr 2019 10:21:19 +0300 + dovecot (1:2.3.4.1-3) unstable; urgency=high * [07c9212] Fix two buffer overflows when reading oversized FTS headers diff -Nru dovecot-2.3.4.1/debian/patches/CVE-2019-10691 dovecot-2.3.4.1/debian/patches/CVE-2019-10691 --- dovecot-2.3.4.1/debian/patches/CVE-2019-10691 1970-01-01 02:00:00.000000000 +0200 +++ dovecot-2.3.4.1/debian/patches/CVE-2019-10691 2019-04-18 10:21:19.000000000 +0300 @@ -0,0 +1,66 @@ +From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tu...@open-xchange.com> +Date: Tue, 2 Apr 2019 13:09:48 +0300 +Subject: [PATCH 1/2] lib: json - Escape invalid UTF-8 as unicode bytes + +This prevents dovecot from crashing if invalid UTF-8 input +is given. +--- + src/lib/json-parser.c | 12 ++++++++---- + src/lib/test-json-parser.c | 8 ++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c +index 677091d64..e7846a329 100644 +--- a/src/lib/json-parser.c ++++ b/src/lib/json-parser.c +@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s + + for (i = 0; i < size;) { + bytes = uni_utf8_get_char_n(src+i, size-i, &chr); +- /* refuse to add invalid data */ +- i_assert(bytes > 0 && uni_is_valid_ucs4(chr)); +- json_append_escaped_ucs4(dest, chr); +- i += bytes; ++ if (bytes > 0 && uni_is_valid_ucs4(chr)) { ++ json_append_escaped_ucs4(dest, chr); ++ i += bytes; ++ } else { ++ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8, ++ UTF8_REPLACEMENT_CHAR_LEN); ++ i++; ++ } + } + } +diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c +index bae6fb202..9ce1e489b 100644 +--- a/src/lib/test-json-parser.c ++++ b/src/lib/test-json-parser.c +@@ -267,20 +267,20 @@ static void test_json_append_escaped(void) + string_t *str = t_str_new(32); + + test_begin("json_append_escaped()"); +- json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7"); +- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); ++ json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"); ++ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); + test_end(); + } + + static void test_json_append_escaped_data(void) + { + static const unsigned char test_input[] = +- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7"; ++ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"; + string_t *str = t_str_new(32); + + test_begin("json_append_escaped()"); + json_append_escaped_data(str, test_input, sizeof(test_input)-1); +- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); ++ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); + test_end(); + } + +-- +2.11.0 + diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series --- dovecot-2.3.4.1/debian/patches/series 2019-03-25 23:06:01.000000000 +0200 +++ dovecot-2.3.4.1/debian/patches/series 2019-04-18 10:21:19.000000000 +0300 @@ -10,4 +10,5 @@ lib-master-test-event-stats-Use-PRIu64-format.patch avoid-double-closing-mysql.patch CVE-2019-7524 +CVE-2019-10691 debian-changes
signature.asc
Description: PGP signature