Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: car...@debian.org
Hi Stable release managers, I would like to propose to include in the upcoming point release an isync update, versioned as 1.3.0-2.2~deb10u1, which is a rebuild of the version in unstable containing two CVE fixes. I decided to opt for the rebuild including the CVE fixes because the only other change in 1.3.0-2.1 was the debian/watch switch to the https URL. [ Reason ] Fix for CVE-2021-3578 and CVE-2021-20247 for buster. [ Impact ] We keep CVE-2021-3578 and CVE-2021-20247 affecting buster. The CVEs on the other hand are not warranting a DSA. [ Tests ] None specifically. [ Risks ] We apply the same changes as in unstable, and TTBOMK no regression reports were reported. The update was acked to be unblocked to testing. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply the upstream fixes for CVE-2021-3578 and CVE-2021-20247, additionally Ondrej Novy updated the debian/watch used URL to use HTTPS. [ Other info ] None Regards, Salvatore
diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog --- isync-1.3.0/debian/changelog 2018-09-02 19:31:35.000000000 +0200 +++ isync-1.3.0/debian/changelog 2021-06-09 21:21:48.000000000 +0200 @@ -1,3 +1,31 @@ +isync (1.3.0-2.2~deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Rebuild for buster + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 09 Jun 2021 21:21:48 +0200 + +isync (1.3.0-2.2) unstable; urgency=medium + + * Non-maintainer upload. + * fix handling of unexpected APPENDUID response code (CVE-2021-3578) + (Closes: #989564) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 07 Jun 2021 21:03:56 +0200 + +isync (1.3.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Ondřej Nový ] + * d/watch: Use https protocol + + [ Salvatore Bonaccorso ] + * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247) + (Closes: #983351) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 22 Feb 2021 21:09:21 +0100 + isync (1.3.0-2) unstable; urgency=medium * Update vcs-* to point to salsa.d.o diff -Nru isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch --- isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch 1970-01-01 01:00:00.000000000 +0100 +++ isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch 2021-06-09 21:21:48.000000000 +0200 @@ -0,0 +1,80 @@ +From 5fbed519180f155a017a438e479b6268b74b9526 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen <o...@users.sf.net> +Date: Wed, 14 Apr 2021 16:58:27 +0200 +Subject: [PATCH] fix handling of unexpected APPENDUID response code + +if the code was sent in response to anything but a STORE, we'd overwrite +a data pointer in one of our imap_cmd subclasses, an allocator data +structure, or the start of the next allocation, with an int that was +completely under the server's control. it's plausible that this could be +exploited for remote code execution. + +to avoid this, we could ensure that the object is of the right type +prior to casting, by using a new flag in the parameter block. but it's +easier to just dispose of the out_uid field altogether and reuse the uid +field that is present in the parameter block anyway, but was used only +for FETCH commands so far. + +this problem was found by Lukas Braun <ko...@moshbit.net> using a +fuzzer. +--- + src/drv_imap.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/drv_imap.c b/src/drv_imap.c +index fbe2fed..4cc3b2a 100644 +--- a/src/drv_imap.c ++++ b/src/drv_imap.c +@@ -181,7 +181,6 @@ typedef struct { + imap_cmd_t gen; + void (*callback)( int sts, uint uid, void *aux ); + void *callback_aux; +- uint out_uid; + } imap_cmd_out_uid_t; + + typedef struct { +@@ -1184,11 +1183,22 @@ parse_response_code( imap_store_t *ctx, imap_cmd_t *cmd, char *s ) + */ + for (; isspace( (uchar)*p ); p++); + error( "*** IMAP ALERT *** %s\n", p ); +- } else if (cmd && !strcmp( "APPENDUID", arg )) { ++ } else if (!strcmp( "APPENDUID", arg )) { ++ // The checks ensure that: ++ // - cmd => this is the final tagged response of a command, at which ++ // point cmd was already removed from ctx->in_progress, so param.uid ++ // is available for reuse. ++ // - !param.uid => the command isn't actually a FETCH. This doesn't ++ // really matter, as the field is safe to overwrite given the ++ // previous condition; it just has no effect for non-APPENDs. ++ if (!cmd || cmd->param.uid) { ++ error( "IMAP error: unexpected APPENDUID status\n" ); ++ return RESP_CANCEL; ++ } + if (!(arg = next_arg( &s )) || + (ctx->uidvalidity = strtoul( arg, &earg, 10 ), *earg) || + !(arg = next_arg( &s )) || +- (((imap_cmd_out_uid_t *)cmd)->out_uid = strtoul( arg, &earg, 10 ), *earg)) ++ (cmd->param.uid = strtoul( arg, &earg, 10 ), *earg)) + { + error( "IMAP error: malformed APPENDUID status\n" ); + return RESP_CANCEL; +@@ -2957,7 +2967,6 @@ imap_store_msg( store_t *gctx, msg_data_t *data, int to_trash, + ctx->buffer_mem += data->len; + cmd->gen.param.data_len = data->len; + cmd->gen.param.data = data->data; +- cmd->out_uid = 0; + + if (to_trash) { + cmd->gen.param.create = 1; +@@ -2990,7 +2999,7 @@ imap_store_msg_p2( imap_store_t *ctx ATTR_UNUSED, imap_cmd_t *cmd, int response + imap_cmd_out_uid_t *cmdp = (imap_cmd_out_uid_t *)cmd; + + transform_msg_response( &response ); +- cmdp->callback( response, cmdp->out_uid, cmdp->callback_aux ); ++ cmdp->callback( response, cmdp->gen.param.uid, cmdp->callback_aux ); + } + + /******************* imap_find_new_msgs *******************/ +-- +2.31.1.2.g8c0bdb8a70 + diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch --- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 01:00:00.000000000 +0100 +++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2021-06-09 21:21:48.000000000 +0200 @@ -0,0 +1,68 @@ +>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen <o...@users.sf.net> +Date: Sun, 14 Feb 2021 20:42:37 +0100 +Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB + +in particular, '..' in the name could be used to escape the Path/Inbox +of a Maildir Store, which could be exploited for stealing or deleting +data, or staging a (mild) DoS attack. +--- + src/drv_imap.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/src/drv_imap.c b/src/drv_imap.c +index 810479e..fbe2fed 100644 +--- a/src/drv_imap.c ++++ b/src/drv_imap.c +@@ -1258,11 +1258,12 @@ static int + parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + { + string_list_t *narg; +- char *arg; ++ char *arg, c; + int argl, l; + + if (!is_atom( list )) { + error( "IMAP error: malformed LIST response\n" ); ++ listbad: + free_list( list ); + return LIST_BAD; + } +@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg ); + goto skip; + } ++ // Validate the normalized name. Technically speaking, we could tolerate ++ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir ++ // driver, but there isn't really a legitimate reason for these being present. ++ for (const char *p = narg->string, *sp = p;;) { ++ if (!(c = *p) || c == '/') { ++ uint pcl = (uint)(p - sp); ++ if (!pcl) { ++ error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string ); ++ free( narg ); ++ goto skip; ++ } ++ if (pcl == 1 && sp[0] == '.') { ++ error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string ); ++ free( narg ); ++ goto skip; ++ } ++ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') { ++ error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string ); ++ free( narg ); ++ goto listbad; ++ } ++ if (!c) ++ break; ++ sp = ++p; ++ } else { ++ ++p; ++ } ++ } + narg->next = ctx->boxes; + ctx->boxes = narg; + skip: +-- +2.29.2.2.g268056bf11.dirty + diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series --- isync-1.3.0/debian/patches/series 2018-09-02 19:31:35.000000000 +0200 +++ isync-1.3.0/debian/patches/series 2021-06-09 21:21:48.000000000 +0200 @@ -1 +1,3 @@ 01_sni.patch +reject-funny-mailbox-names--1.3.patch +fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch --- isync-1.3.0/debian/watch 2018-09-02 19:31:35.000000000 +0200 +++ isync-1.3.0/debian/watch 2021-06-09 21:21:48.000000000 +0200 @@ -1,2 +1,2 @@ version=3 -http://sf.net/isync/ isync-(.*)\.tar\.gz +https://sf.net/isync/ isync-(.*)\.tar\.gz