Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Dear release team, [ Reason ] I would like to update isync in Buster and fix CVE-2021-3657. It was marked no-dsa by the security team. [ Impact ] CVE-2021-3657 will not be fixed in Buster [ Tests ] I have installed isync and synchronized a gmail account with a local directory. Everything works as intended. [ Risks ] I am not aware of any risks. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I applied the upstream patch to fix CVE-2021-3657. There were no other changes. Regards, Markus
diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog --- isync-1.3.0/debian/changelog 2021-06-09 21:21:48.000000000 +0200 +++ isync-1.3.0/debian/changelog 2022-06-28 15:58:18.000000000 +0200 @@ -1,3 +1,15 @@ +isync (1.3.0-2.2~deb10u2) buster; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2021-3657: + A flaw was found in mbsync. Due to inadequate handling of extremely large + (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and + hypothetically even external email senders, could cause several different + buffer overflows, which could conceivably be exploited for remote code + execution. + + -- Markus Koschany <a...@debian.org> Tue, 28 Jun 2022 15:58:18 +0200 + isync (1.3.0-2.2~deb10u1) buster; urgency=medium * Non-maintainer upload. diff -Nru isync-1.3.0/debian/patches/CVE-2021-3657.patch isync-1.3.0/debian/patches/CVE-2021-3657.patch --- isync-1.3.0/debian/patches/CVE-2021-3657.patch 1970-01-01 01:00:00.000000000 +0100 +++ isync-1.3.0/debian/patches/CVE-2021-3657.patch 2022-06-28 15:58:18.000000000 +0200 @@ -0,0 +1,151 @@ +From: Markus Koschany <a...@debian.org> +Date: Tue, 28 Jun 2022 10:02:49 +0200 +Subject: CVE-2021-3657 + +Origin: https://www.openwall.com/lists/oss-security/2021/12/03/1 +--- + src/drv_imap.c | 9 +++++++++ + src/drv_maildir.c | 8 +++++++- + src/socket.c | 8 ++++++-- + src/sync.c | 15 ++++++++++----- + 4 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/src/drv_imap.c b/src/drv_imap.c +index dd39074..20f0c78 100644 +--- a/src/drv_imap.c ++++ b/src/drv_imap.c +@@ -779,6 +779,11 @@ parse_imap_list( imap_store_t *ctx, char **sp, parse_list_state_t *sts ) + bytes = cur->len = strtol( s + 1, &s, 10 ); + if (*s != '}' || *++s) + goto bail; ++ if ((uint)bytes >= INT_MAX) { ++ error( "IMAP error: excessively large literal from %s " ++ "- THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", ctx->conn.name ); ++ goto bail; ++ } + + s = cur->val = nfmalloc( cur->len + 1 ); + s[cur->len] = 0; +@@ -1259,6 +1264,10 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) + } + arg = list->val; + argl = list->len; ++ if (argl > 1000) { ++ warn( "IMAP warning: ignoring unreasonably long mailbox name '%.100s[...]'\n", arg ); ++ goto skip; ++ } + if ((l = strlen( ctx->prefix ))) { + if (starts_with( arg, argl, ctx->prefix, l )) { + arg += l; +diff --git a/src/drv_maildir.c b/src/drv_maildir.c +index c4dd6c7..d36280a 100644 +--- a/src/drv_maildir.c ++++ b/src/drv_maildir.c +@@ -1142,7 +1142,8 @@ maildir_scan( maildir_store_t *ctx, msg_t_array_alloc_t *msglist ) + } + goto retry; + } +- entry->size = st.st_size; ++ // The clipped value is good enough for MaxSize comparisons. ++ entry->size = st.st_size > INT_MAX ? INT_MAX : (int)st.st_size; + } + if (want_tuid || want_msgid) { + if (!(f = fopen( buf, "r" ))) { +@@ -1528,12 +1529,17 @@ maildir_fetch_msg( store_t *gctx, message_t *gmsg, msg_data_t *data, + } + } + fstat( fd, &st ); ++ if (st.st_size > INT_MAX) { ++ error( "Maildir error: %s is too big", buf ); ++ goto mbad; ++ } + data->len = st.st_size; + if (data->date == -1) + data->date = st.st_mtime; + data->data = nfmalloc( data->len ); + if (read( fd, data->data, data->len ) != data->len) { + sys_error( "Maildir error: cannot read %s", buf ); ++ mbad: + close( fd ); + cb( DRV_MSG_BAD, aux ); + return; +diff --git a/src/socket.c b/src/socket.c +index 555198f..a9d43e0 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -837,6 +837,8 @@ do_append( conn_t *conn, buff_chunk_t *bc ) + /* This is big enough to avoid excessive chunking, but is + * sufficiently small to keep SSL latency low with a slow uplink. */ + #define WRITE_CHUNK_SIZE 1024 ++// Huge data blocks (message payloads) are forcibly chunked. ++#define MAX_WRITE_CHUNK_SIZE (1 << 30) + + static void + do_flush( conn_t *conn ) +@@ -891,7 +893,8 @@ do_flush( conn_t *conn ) + void + socket_write( conn_t *conn, conn_iovec_t *iov, int iovcnt ) + { +- int i, buf_avail, len, offset = 0, total = 0; ++ int i, buf_avail, len, offset = 0; ++ uint total = 0; + buff_chunk_t *bc; + + for (i = 0; i < iovcnt; i++) +@@ -910,7 +913,8 @@ socket_write( conn_t *conn, conn_iovec_t *iov, int iovcnt ) + * predict a reasonable output buffer size anyway - deflatePending() does + * not account for consumed but not yet compressed input, and adding up + * the deflateBound()s would be a tad *too* pessimistic. */ +- buf_avail = total > WRITE_CHUNK_SIZE ? total : WRITE_CHUNK_SIZE; ++ buf_avail = total > MAX_WRITE_CHUNK_SIZE ? MAX_WRITE_CHUNK_SIZE : ++ total > WRITE_CHUNK_SIZE ? total : WRITE_CHUNK_SIZE; + bc = nfmalloc( offsetof(buff_chunk_t, data) + buf_avail ); + bc->len = 0; + #ifndef HAVE_LIBZ +diff --git a/src/sync.c b/src/sync.c +index 8f2b4a2..eb9d263 100644 +--- a/src/sync.c ++++ b/src/sync.c +@@ -333,7 +333,7 @@ copy_msg_bytes( char **out_ptr, const char *in_buf, int *in_idx, int in_len, int + } + + static int +-copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars ) ++copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t ) + { + char *in_buf = vars->data.data; + int in_len = vars->data.len; +@@ -361,7 +361,8 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars ) + goto nloop; + } + } +- /* invalid message */ ++ warn( "Warning: message %u from %s has incomplete header; skipping.\n", ++ vars->msg->uid, str_ms[1-t] ); + free( in_buf ); + return 0; + oke: +@@ -382,6 +383,12 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars ) + } + + vars->data.len = in_len + extra; ++ if ((uint)vars->data.len > INT_MAX) { ++ warn( "Warning: message %u from %s is too big after conversion; skipping.\n", ++ vars->msg->uid, str_ms[1-t] ); ++ free( in_buf ); ++ return 0; ++ } + char *out_buf = vars->data.data = nfmalloc( vars->data.len ); + idx = 0; + if (vars->srec) { +@@ -423,9 +430,7 @@ msg_fetched( int sts, void *aux ) + scr = (svars->drv[1-t]->get_caps( svars->ctx[1-t] ) / DRV_CRLF) & 1; + tcr = (svars->drv[t]->get_caps( svars->ctx[t] ) / DRV_CRLF) & 1; + if (vars->srec || scr != tcr) { +- if (!copy_msg_convert( scr, tcr, vars )) { +- warn( "Warning: message %u from %s has incomplete header.\n", +- vars->msg->uid, str_ms[1-t] ); ++ if (!copy_msg_convert( scr, tcr, vars, t )) { + vars->cb( SYNC_NOGOOD, 0, vars ); + return; + } diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series --- isync-1.3.0/debian/patches/series 2021-06-09 21:21:48.000000000 +0200 +++ isync-1.3.0/debian/patches/series 2022-06-28 15:58:18.000000000 +0200 @@ -1,3 +1,4 @@ 01_sni.patch reject-funny-mailbox-names--1.3.patch fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch +CVE-2021-3657.patch
