Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package dovecot Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to processing of invalid external input. The issue is known as CVE-2019-10691[1], and was fixed in the Debian package by backporting the upstream fix. Full source debdiff attached. Regards, Apollon [1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html unblock dovecot/1:2.3.4.1-4
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog 2019-03-25 23:06:01.000000000 +0200
+++ dovecot-2.3.4.1/debian/changelog 2019-04-18 10:21:19.000000000 +0300
@@ -1,3 +1,9 @@
+dovecot (1:2.3.4.1-4) unstable; urgency=high
+
+ * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691)
+
+ -- Apollon Oikonomopoulos <apoi...@debian.org> Thu, 18 Apr 2019 10:21:19
+0300
+
dovecot (1:2.3.4.1-3) unstable; urgency=high
* [07c9212] Fix two buffer overflows when reading oversized FTS headers
diff -Nru dovecot-2.3.4.1/debian/patches/CVE-2019-10691
dovecot-2.3.4.1/debian/patches/CVE-2019-10691
--- dovecot-2.3.4.1/debian/patches/CVE-2019-10691 1970-01-01
02:00:00.000000000 +0200
+++ dovecot-2.3.4.1/debian/patches/CVE-2019-10691 2019-04-18
10:21:19.000000000 +0300
@@ -0,0 +1,66 @@
+From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tu...@open-xchange.com>
+Date: Tue, 2 Apr 2019 13:09:48 +0300
+Subject: [PATCH 1/2] lib: json - Escape invalid UTF-8 as unicode bytes
+
+This prevents dovecot from crashing if invalid UTF-8 input
+is given.
+---
+ src/lib/json-parser.c | 12 ++++++++----
+ src/lib/test-json-parser.c | 8 ++++----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c
+index 677091d64..e7846a329 100644
+--- a/src/lib/json-parser.c
++++ b/src/lib/json-parser.c
+@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const
unsigned char *src, size_t s
+
+ for (i = 0; i < size;) {
+ bytes = uni_utf8_get_char_n(src+i, size-i, &chr);
+- /* refuse to add invalid data */
+- i_assert(bytes > 0 && uni_is_valid_ucs4(chr));
+- json_append_escaped_ucs4(dest, chr);
+- i += bytes;
++ if (bytes > 0 && uni_is_valid_ucs4(chr)) {
++ json_append_escaped_ucs4(dest, chr);
++ i += bytes;
++ } else {
++ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8,
++ UTF8_REPLACEMENT_CHAR_LEN);
++ i++;
++ }
+ }
+ }
+diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c
+index bae6fb202..9ce1e489b 100644
+--- a/src/lib/test-json-parser.c
++++ b/src/lib/test-json-parser.c
+@@ -267,20 +267,20 @@ static void test_json_append_escaped(void)
+ string_t *str = t_str_new(32);
+
+ test_begin("json_append_escaped()");
+- json_append_escaped(str,
"\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7");
+- test_assert(strcmp(str_c(str),
"\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
++ json_append_escaped(str,
"\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff");
++ test_assert(strcmp(str_c(str),
"\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37"
UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
+ test_end();
+ }
+
+ static void test_json_append_escaped_data(void)
+ {
+ static const unsigned char test_input[] =
+- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7";
++ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff";
+ string_t *str = t_str_new(32);
+
+ test_begin("json_append_escaped()");
+ json_append_escaped_data(str, test_input, sizeof(test_input)-1);
+- test_assert(strcmp(str_c(str),
"\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
++ test_assert(strcmp(str_c(str),
"\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37"
UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
+ test_end();
+ }
+
+--
+2.11.0
+
diff -Nru dovecot-2.3.4.1/debian/patches/series
dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series 2019-03-25 23:06:01.000000000
+0200
+++ dovecot-2.3.4.1/debian/patches/series 2019-04-18 10:21:19.000000000
+0300
@@ -10,4 +10,5 @@
lib-master-test-event-stats-Use-PRIu64-format.patch
avoid-double-closing-mysql.patch
CVE-2019-7524
+CVE-2019-10691
debian-changes
signature.asc
Description: PGP signature
