Bug#983351: isync: diff for NMU version 1.3.0-2.1
Dear maintainer,
I've prepared an NMU for isync (versioned as 1.3.0-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog
--- isync-1.3.0/debian/changelog 2018-09-02 19:31:35.0 +0200
+++ isync-1.3.0/debian/changelog 2021-02-22 21:09:21.0 +0100
@@ -1,3 +1,16 @@
+isync (1.3.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Ond??ej Nov?? ]
+ * d/watch: Use https protocol
+
+ [ Salvatore Bonaccorso ]
+ * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247)
+(Closes: #983351)
+
+ -- Salvatore Bonaccorso Mon, 22 Feb 2021 21:09:21 +0100
+
isync (1.3.0-2) unstable; urgency=medium
* Update vcs-* to point to salsa.d.o
diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch
--- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 01:00:00.0 +0100
+++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2021-02-22 21:09:21.0 +0100
@@ -0,0 +1,68 @@
+>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen
+Date: Sun, 14 Feb 2021 20:42:37 +0100
+Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
+
+in particular, '..' in the name could be used to escape the Path/Inbox
+of a Maildir Store, which could be exploited for stealing or deleting
+data, or staging a (mild) DoS attack.
+---
+ src/drv_imap.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index 810479e..fbe2fed 100644
+--- a/src/drv_imap.c
b/src/drv_imap.c
+@@ -1258,11 +1258,12 @@ static int
+ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ {
+ string_list_t *narg;
+- char *arg;
++ char *arg, c;
+ int argl, l;
+
+ if (!is_atom( list )) {
+ error( "IMAP error: malformed LIST response\n" );
++ listbad:
+ free_list( list );
+ return LIST_BAD;
+ }
+@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg );
+ goto skip;
+ }
++ // Validate the normalized name. Technically speaking, we could tolerate
++ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir
++ // driver, but there isn't really a legitimate reason for these being present.
++ for (const char *p = narg->string, *sp = p;;) {
++ if (!(c = *p) || c == '/') {
++ uint pcl = (uint)(p - sp);
++ if (!pcl) {
++error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string );
++free( narg );
++goto skip;
++ }
++ if (pcl == 1 && sp[0] == '.') {
++error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string );
++free( narg );
++goto skip;
++ }
++ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') {
++error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string );
++free( narg );
++goto listbad;
++ }
++ if (!c)
++break;
++ sp = ++p;
++ } else {
++ ++p;
++ }
++ }
+ narg->next = ctx->boxes;
+ ctx->boxes = narg;
+ skip:
+--
+2.29.2.2.g268056bf11.dirty
+
diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series
--- isync-1.3.0/debian/patches/series 2018-09-02 19:31:35.0 +0200
+++ isync-1.3.0/debian/patches/series 2021-02-22 21:09:21.0 +0100
@@ -1 +1,2 @@
01_sni.patch
+reject-funny-mailbox-names--1.3.patch
diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch
--- isync-1.3.0/debian/watch 2018-09-02 19:31:35.0 +0200
+++ isync-1.3.0/debian/watch 2021-02-22 21:09:21.0 +0100
@@ -1,2 +1,2 @@
version=3
-http://sf.net/isync/ isync-(.*)\.tar\.gz
+https://sf.net/isync/ isync-(.*)\.tar\.gz
Bug#983351: isync: diff for NMU version 1.3.0-2.1
Control: tags 983351 + patch
Control: tags 983351 + pending
Dear maintainer,
I've prepared an NMU for isync (versioned as 1.3.0-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog
--- isync-1.3.0/debian/changelog 2018-09-02 19:31:35.0 +0200
+++ isync-1.3.0/debian/changelog 2018-10-01 09:35:31.0 +0200
@@ -1,3 +1,16 @@
+isync (1.3.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Ond??ej Nov?? ]
+ * d/watch: Use https protocol
+
+ [ Salvatore Bonaccorso ]
+ * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247)
+(Closes: #983351)
+
+ -- Ond??ej Nov?? Mon, 01 Oct 2018 09:35:31 +0200
+
isync (1.3.0-2) unstable; urgency=medium
* Update vcs-* to point to salsa.d.o
diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch
--- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 01:00:00.0 +0100
+++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2018-10-01 09:35:31.0 +0200
@@ -0,0 +1,68 @@
+>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen
+Date: Sun, 14 Feb 2021 20:42:37 +0100
+Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
+
+in particular, '..' in the name could be used to escape the Path/Inbox
+of a Maildir Store, which could be exploited for stealing or deleting
+data, or staging a (mild) DoS attack.
+---
+ src/drv_imap.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index 810479e..fbe2fed 100644
+--- a/src/drv_imap.c
b/src/drv_imap.c
+@@ -1258,11 +1258,12 @@ static int
+ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ {
+ string_list_t *narg;
+- char *arg;
++ char *arg, c;
+ int argl, l;
+
+ if (!is_atom( list )) {
+ error( "IMAP error: malformed LIST response\n" );
++ listbad:
+ free_list( list );
+ return LIST_BAD;
+ }
+@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
+ warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg );
+ goto skip;
+ }
++ // Validate the normalized name. Technically speaking, we could tolerate
++ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir
++ // driver, but there isn't really a legitimate reason for these being present.
++ for (const char *p = narg->string, *sp = p;;) {
++ if (!(c = *p) || c == '/') {
++ uint pcl = (uint)(p - sp);
++ if (!pcl) {
++error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string );
++free( narg );
++goto skip;
++ }
++ if (pcl == 1 && sp[0] == '.') {
++error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string );
++free( narg );
++goto skip;
++ }
++ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') {
++error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string );
++free( narg );
++goto listbad;
++ }
++ if (!c)
++break;
++ sp = ++p;
++ } else {
++ ++p;
++ }
++ }
+ narg->next = ctx->boxes;
+ ctx->boxes = narg;
+ skip:
+--
+2.29.2.2.g268056bf11.dirty
+
diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series
--- isync-1.3.0/debian/patches/series 2018-09-02 19:31:35.0 +0200
+++ isync-1.3.0/debian/patches/series 2018-10-01 09:35:31.0 +0200
@@ -1 +1,2 @@
01_sni.patch
+reject-funny-mailbox-names--1.3.patch
diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch
--- isync-1.3.0/debian/watch 2018-09-02 19:31:35.0 +0200
+++ isync-1.3.0/debian/watch 2018-10-01 09:35:31.0 +0200
@@ -1,2 +1,2 @@
version=3
-http://sf.net/isync/ isync-(.*)\.tar\.gz
+https://sf.net/isync/ isync-(.*)\.tar\.gz
