Bug#983351: isync: diff for NMU version 1.3.0-2.1
Dear maintainer, I've prepared an NMU for isync (versioned as 1.3.0-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog --- isync-1.3.0/debian/changelog 2018-09-02 19:31:35.0 +0200 +++ isync-1.3.0/debian/changelog 2021-02-22 21:09:21.0 +0100 @@ -1,3 +1,16 @@ +isync (1.3.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Ond??ej Nov?? ] + * d/watch: Use https protocol + + [ Salvatore Bonaccorso ] + * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247) +(Closes: #983351) + + -- Salvatore Bonaccorso Mon, 22 Feb 2021 21:09:21 +0100 + isync (1.3.0-2) unstable; urgency=medium * Update vcs-* to point to salsa.d.o diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch --- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 01:00:00.0 +0100 +++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2021-02-22 21:09:21.0 +0100 @@ -0,0 +1,68 @@ +>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Sun, 14 Feb 2021 20:42:37 +0100 +Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB + +in particular, '..' in the name could be used to escape the Path/Inbox +of a Maildir Store, which could be exploited for stealing or deleting +data, or staging a (mild) DoS attack. +--- + src/drv_imap.c | 31 ++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/src/drv_imap.c b/src/drv_imap.c +index 810479e..fbe2fed 100644 +--- a/src/drv_imap.c b/src/drv_imap.c +@@ -1258,11 +1258,12 @@ static int + parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + { + string_list_t *narg; +- char *arg; ++ char *arg, c; + int argl, l; + + if (!is_atom( list )) { + error( "IMAP error: malformed LIST response\n" ); ++ listbad: + free_list( list ); + return LIST_BAD; + } +@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg ); + goto skip; + } ++ // Validate the normalized name. Technically speaking, we could tolerate ++ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir ++ // driver, but there isn't really a legitimate reason for these being present. ++ for (const char *p = narg->string, *sp = p;;) { ++ if (!(c = *p) || c == '/') { ++ uint pcl = (uint)(p - sp); ++ if (!pcl) { ++error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string ); ++free( narg ); ++goto skip; ++ } ++ if (pcl == 1 && sp[0] == '.') { ++error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string ); ++free( narg ); ++goto skip; ++ } ++ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') { ++error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string ); ++free( narg ); ++goto listbad; ++ } ++ if (!c) ++break; ++ sp = ++p; ++ } else { ++ ++p; ++ } ++ } + narg->next = ctx->boxes; + ctx->boxes = narg; + skip: +-- +2.29.2.2.g268056bf11.dirty + diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series --- isync-1.3.0/debian/patches/series 2018-09-02 19:31:35.0 +0200 +++ isync-1.3.0/debian/patches/series 2021-02-22 21:09:21.0 +0100 @@ -1 +1,2 @@ 01_sni.patch +reject-funny-mailbox-names--1.3.patch diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch --- isync-1.3.0/debian/watch 2018-09-02 19:31:35.0 +0200 +++ isync-1.3.0/debian/watch 2021-02-22 21:09:21.0 +0100 @@ -1,2 +1,2 @@ version=3 -http://sf.net/isync/ isync-(.*)\.tar\.gz +https://sf.net/isync/ isync-(.*)\.tar\.gz
Bug#983351: isync: diff for NMU version 1.3.0-2.1
Control: tags 983351 + patch Control: tags 983351 + pending Dear maintainer, I've prepared an NMU for isync (versioned as 1.3.0-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog --- isync-1.3.0/debian/changelog 2018-09-02 19:31:35.0 +0200 +++ isync-1.3.0/debian/changelog 2018-10-01 09:35:31.0 +0200 @@ -1,3 +1,16 @@ +isync (1.3.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Ond??ej Nov?? ] + * d/watch: Use https protocol + + [ Salvatore Bonaccorso ] + * reject funny mailbox names from IMAP LIST/LSUB (CVE-2021-20247) +(Closes: #983351) + + -- Ond??ej Nov?? Mon, 01 Oct 2018 09:35:31 +0200 + isync (1.3.0-2) unstable; urgency=medium * Update vcs-* to point to salsa.d.o diff -Nru isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch --- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 01:00:00.0 +0100 +++ isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2018-10-01 09:35:31.0 +0200 @@ -0,0 +1,68 @@ +>From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Sun, 14 Feb 2021 20:42:37 +0100 +Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB + +in particular, '..' in the name could be used to escape the Path/Inbox +of a Maildir Store, which could be exploited for stealing or deleting +data, or staging a (mild) DoS attack. +--- + src/drv_imap.c | 31 ++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/src/drv_imap.c b/src/drv_imap.c +index 810479e..fbe2fed 100644 +--- a/src/drv_imap.c b/src/drv_imap.c +@@ -1258,11 +1258,12 @@ static int + parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + { + string_list_t *narg; +- char *arg; ++ char *arg, c; + int argl, l; + + if (!is_atom( list )) { + error( "IMAP error: malformed LIST response\n" ); ++ listbad: + free_list( list ); + return LIST_BAD; + } +@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg ); + goto skip; + } ++ // Validate the normalized name. Technically speaking, we could tolerate ++ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir ++ // driver, but there isn't really a legitimate reason for these being present. ++ for (const char *p = narg->string, *sp = p;;) { ++ if (!(c = *p) || c == '/') { ++ uint pcl = (uint)(p - sp); ++ if (!pcl) { ++error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string ); ++free( narg ); ++goto skip; ++ } ++ if (pcl == 1 && sp[0] == '.') { ++error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string ); ++free( narg ); ++goto skip; ++ } ++ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') { ++error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string ); ++free( narg ); ++goto listbad; ++ } ++ if (!c) ++break; ++ sp = ++p; ++ } else { ++ ++p; ++ } ++ } + narg->next = ctx->boxes; + ctx->boxes = narg; + skip: +-- +2.29.2.2.g268056bf11.dirty + diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series --- isync-1.3.0/debian/patches/series 2018-09-02 19:31:35.0 +0200 +++ isync-1.3.0/debian/patches/series 2018-10-01 09:35:31.0 +0200 @@ -1 +1,2 @@ 01_sni.patch +reject-funny-mailbox-names--1.3.patch diff -Nru isync-1.3.0/debian/watch isync-1.3.0/debian/watch --- isync-1.3.0/debian/watch 2018-09-02 19:31:35.0 +0200 +++ isync-1.3.0/debian/watch 2018-10-01 09:35:31.0 +0200 @@ -1,2 +1,2 @@ version=3 -http://sf.net/isync/ isync-(.*)\.tar\.gz +https://sf.net/isync/ isync-(.*)\.tar\.gz