On 2024-06-14 14:01:36 +0100, Dale Richards wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: python-aiosm...@packages.debian.org, d...@dalerichards.net > Control: affects -1 + src:python-aiosmtpd > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > This update resolves two security vulnerabilities present in > the version of python-aiosmtpd in Bookworm (1.4.3-1.1): > > * CVE-2024-27305 - SMTP smuggling due to poor handling of > non-standard line endings (Bug: #1066820) > * CVE-2024-34083 - STARTTLS unencrypted command injection > (Bug: #1072119) > > These have both been deemed unworthy of a DSA, but the > Security Team have suggested we update this package for the > next Bookworm point release.
Also uploaded the fix for bookworm since #1073206 was ACKed. Cheers > > [ Impact ] > Without this update, Debian 12 systems running aiosmtpd would > remain vulnerable to the two CVEs listed above. > > [ Tests ] > The upstream package includes a comprehensive suite of tests, > all of which are passing with this new version. Additionally, > I have installed the new package on a Bookworm test box and > performed manual testing, confirming that the package's main > functionality works and that the two vulnerabilties are > correctly resolved. > > [ Risks ] > The code changes are minor, and bring aiosmtpd into compliance > with the relevant sections of RFC 3207[1] and RFC 5321[2]. > The update can therefore be considered low risk, and will not > cause an issue with any RFC-compliant SMTP client or MTA. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > * CVE-2024-27305 - Patch aiosmtpd/smtp.py to accept only <CRLF> > as a line terminator, as mandated by RFC 5321[2]. This patch > has been adapted from the fix committed upstream[3]. > * CVE-2024-34083 - Patch aiosmtpd/smtp.py to discard any > remaining unencrypted data in the input buffer upon completion > of a STARTTLS handshake, as mandated by RFC 3207[1]. This patch > has been adapted from the fix committed upstream[4]. > > [ Other info ] > > References: > > [1] https://datatracker.ietf.org/doc/html/rfc3207#page-7 > [2] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8 > [3] https://github.com/aio- > libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb > [4] https://github.com/aio- > libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda > diff -Nru python-aiosmtpd-1.4.3/debian/changelog > python-aiosmtpd-1.4.3/debian/changelog > --- python-aiosmtpd-1.4.3/debian/changelog 2023-05-25 15:09:53.000000000 > +0100 > +++ python-aiosmtpd-1.4.3/debian/changelog 2024-06-07 18:11:07.000000000 > +0100 > @@ -1,3 +1,13 @@ > +python-aiosmtpd (1.4.3-1.1+deb12u1) bookworm; urgency=medium > + > + * Team upload. > + * CVE-2024-27305 - SMTP smuggling due to poor handling of > + non-standard line endings (Closes: #1066820) > + * CVE-2024-34083 - STARTTLS unencrypted command injection > + (Closes: #1072119) > + > + -- Dale Richards <d...@dalerichards.net> Fri, 07 Jun 2024 18:11:07 +0100 > + > python-aiosmtpd (1.4.3-1.1) unstable; urgency=medium > > * Non-maintainer upload. > diff -Nru python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch > python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch > --- python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch > 2024-06-07 18:11:07.000000000 +0100 > @@ -0,0 +1,19 @@ > +Description: CVE-2024-34083 - STARTTLS unencrypted command injection > +Author: Dale Richards <d...@dalerichards.net> > +Origin: upstream, > https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda > +Bug: > https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 > +Last-Update: 2024-06-07 > +--- > +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ > +--- a/aiosmtpd/smtp.py > ++++ b/aiosmtpd/smtp.py > +@@ -504,6 +504,9 @@ > + self._reader._transport = transport > + self._writer._transport = transport > + self.transport = transport > ++ # Discard any leftover unencrypted data > ++ # See https://tools.ietf.org/html/rfc3207#page-7 > ++ self._reader._buffer.clear() # type: ignore[attr-defined] > + # Do SSL certificate checking as rfc3207 part 4.1 says. Why is > + # _extra a protected attribute? > + self.session.ssl = self._tls_protocol._extra > diff -Nru python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch > python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch > --- python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch > 2024-06-07 18:11:07.000000000 +0100 > @@ -0,0 +1,51 @@ > +Description: CVE-2024-27305 - SMTP smuggling > + SMTP smuggling due to poor handling of > + non-standard line endings > +Author: Dale Richards <d...@dalerichards.net> > +Origin: upstream, > https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb > +Bug: > https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65 > +Last-Update: 2024-06-07 > +--- > +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ > +--- a/aiosmtpd/smtp.py > ++++ b/aiosmtpd/smtp.py > +@@ -86,7 +86,7 @@ > + EMPTY_BARR = bytearray() > + EMPTYBYTES = b'' > + MISSING = _Missing() > +-NEWLINE = '\n' > ++NEWLINE = '\r\n' > + VALID_AUTHMECH = re.compile(r"[A-Z0-9_-]+\Z") > + > + # https://tools.ietf.org/html/rfc3207.html#page-3 > +@@ -1375,9 +1375,10 @@ > + # Since eof_received cancels this coroutine, > + # readuntil() can never raise asyncio.IncompleteReadError. > + try: > +- line: bytes = await self._reader.readuntil() > ++ # > https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8 > ++ line: bytes = await self._reader.readuntil(b'\r\n') > + log.debug('DATA readline: %s', line) > +- assert line.endswith(b'\n') > ++ assert line.endswith(b'\r\n') > + except asyncio.CancelledError: > + # The connection got reset during the DATA command. > + log.info('Connection lost during DATA') > +@@ -1394,7 +1395,7 @@ > + data *= 0 > + # Drain the stream anyways > + line = await self._reader.read(e.consumed) > +- assert not line.endswith(b'\n') > ++ assert not line.endswith(b'\r\n') > + # A lone dot in a line signals the end of DATA. > + if not line_fragments and line == b'.\r\n': > + break > +@@ -1406,7 +1407,7 @@ > + # Discard data immediately to prevent memory pressure > + data *= 0 > + line_fragments.append(line) > +- if line.endswith(b'\n'): > ++ if line.endswith(b'\r\n'): > + # Record data only if state is "NOMINAL" > + if state == _DataState.NOMINAL: > + line = EMPTY_BARR.join(line_fragments) > diff -Nru python-aiosmtpd-1.4.3/debian/patches/series > python-aiosmtpd-1.4.3/debian/patches/series > --- python-aiosmtpd-1.4.3/debian/patches/series 2023-05-25 > 15:09:53.000000000 +0100 > +++ python-aiosmtpd-1.4.3/debian/patches/series 2024-06-07 > 18:11:07.000000000 +0100 > @@ -2,3 +2,5 @@ > 0002-Drop-sphinx-autofixture-extension-requirement.patch > 0003-Remove-imported-images-from-the-web-for-privacy.patch > 0004-Replace-a-dynamic-date-in-copyright-by-a-static-one.patch > +0005-cve-2024-34083.patch > +0006-cve-2024-27305.patch -- Sebastian Ramacher
