--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
Dear release team,
[ Reason ]
I would like to update isync in Buster and fix CVE-2021-3657. It was
marked no-dsa by the security team.
[ Impact ]
CVE-2021-3657 will not be fixed in Buster
[ Tests ]
I have installed isync and synchronized a gmail account with a local
directory. Everything works as intended.
[ Risks ]
I am not aware of any risks.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
I applied the upstream patch to fix CVE-2021-3657. There were no other
changes.
Regards,
Markus
diff -Nru isync-1.3.0/debian/changelog isync-1.3.0/debian/changelog
--- isync-1.3.0/debian/changelog 2021-06-09 21:21:48.000000000 +0200
+++ isync-1.3.0/debian/changelog 2022-06-28 15:58:18.000000000 +0200
@@ -1,3 +1,15 @@
+isync (1.3.0-2.2~deb10u2) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2021-3657:
+ A flaw was found in mbsync. Due to inadequate handling of extremely large
+ (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and
+ hypothetically even external email senders, could cause several different
+ buffer overflows, which could conceivably be exploited for remote code
+ execution.
+
+ -- Markus Koschany <a...@debian.org> Tue, 28 Jun 2022 15:58:18 +0200
+
isync (1.3.0-2.2~deb10u1) buster; urgency=medium
* Non-maintainer upload.
diff -Nru isync-1.3.0/debian/patches/CVE-2021-3657.patch
isync-1.3.0/debian/patches/CVE-2021-3657.patch
--- isync-1.3.0/debian/patches/CVE-2021-3657.patch 1970-01-01
01:00:00.000000000 +0100
+++ isync-1.3.0/debian/patches/CVE-2021-3657.patch 2022-06-28
15:58:18.000000000 +0200
@@ -0,0 +1,151 @@
+From: Markus Koschany <a...@debian.org>
+Date: Tue, 28 Jun 2022 10:02:49 +0200
+Subject: CVE-2021-3657
+
+Origin: https://www.openwall.com/lists/oss-security/2021/12/03/1
+---
+ src/drv_imap.c | 9 +++++++++
+ src/drv_maildir.c | 8 +++++++-
+ src/socket.c | 8 ++++++--
+ src/sync.c | 15 ++++++++++-----
+ 4 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/src/drv_imap.c b/src/drv_imap.c
+index dd39074..20f0c78 100644
+--- a/src/drv_imap.c
++++ b/src/drv_imap.c
+@@ -779,6 +779,11 @@ parse_imap_list( imap_store_t *ctx, char **sp,
parse_list_state_t *sts )
+ bytes = cur->len = strtol( s + 1, &s, 10 );
+ if (*s != '}' || *++s)
+ goto bail;
++ if ((uint)bytes >= INT_MAX) {
++ error( "IMAP error: excessively large literal
from %s "
++ "- THIS MIGHT BE AN ATTEMPT TO HACK
YOU!\n", ctx->conn.name );
++ goto bail;
++ }
+
+ s = cur->val = nfmalloc( cur->len + 1 );
+ s[cur->len] = 0;
+@@ -1259,6 +1264,10 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list,
char *cmd ATTR_UNUSED )
+ }
+ arg = list->val;
+ argl = list->len;
++ if (argl > 1000) {
++ warn( "IMAP warning: ignoring unreasonably long mailbox name
'%.100s[...]'\n", arg );
++ goto skip;
++ }
+ if ((l = strlen( ctx->prefix ))) {
+ if (starts_with( arg, argl, ctx->prefix, l )) {
+ arg += l;
+diff --git a/src/drv_maildir.c b/src/drv_maildir.c
+index c4dd6c7..d36280a 100644
+--- a/src/drv_maildir.c
++++ b/src/drv_maildir.c
+@@ -1142,7 +1142,8 @@ maildir_scan( maildir_store_t *ctx, msg_t_array_alloc_t
*msglist )
+ }
+ goto retry;
+ }
+- entry->size = st.st_size;
++ // The clipped value is good enough for MaxSize
comparisons.
++ entry->size = st.st_size > INT_MAX ? INT_MAX :
(int)st.st_size;
+ }
+ if (want_tuid || want_msgid) {
+ if (!(f = fopen( buf, "r" ))) {
+@@ -1528,12 +1529,17 @@ maildir_fetch_msg( store_t *gctx, message_t *gmsg,
msg_data_t *data,
+ }
+ }
+ fstat( fd, &st );
++ if (st.st_size > INT_MAX) {
++ error( "Maildir error: %s is too big", buf );
++ goto mbad;
++ }
+ data->len = st.st_size;
+ if (data->date == -1)
+ data->date = st.st_mtime;
+ data->data = nfmalloc( data->len );
+ if (read( fd, data->data, data->len ) != data->len) {
+ sys_error( "Maildir error: cannot read %s", buf );
++ mbad:
+ close( fd );
+ cb( DRV_MSG_BAD, aux );
+ return;
+diff --git a/src/socket.c b/src/socket.c
+index 555198f..a9d43e0 100644
+--- a/src/socket.c
++++ b/src/socket.c
+@@ -837,6 +837,8 @@ do_append( conn_t *conn, buff_chunk_t *bc )
+ /* This is big enough to avoid excessive chunking, but is
+ * sufficiently small to keep SSL latency low with a slow uplink. */
+ #define WRITE_CHUNK_SIZE 1024
++// Huge data blocks (message payloads) are forcibly chunked.
++#define MAX_WRITE_CHUNK_SIZE (1 << 30)
+
+ static void
+ do_flush( conn_t *conn )
+@@ -891,7 +893,8 @@ do_flush( conn_t *conn )
+ void
+ socket_write( conn_t *conn, conn_iovec_t *iov, int iovcnt )
+ {
+- int i, buf_avail, len, offset = 0, total = 0;
++ int i, buf_avail, len, offset = 0;
++ uint total = 0;
+ buff_chunk_t *bc;
+
+ for (i = 0; i < iovcnt; i++)
+@@ -910,7 +913,8 @@ socket_write( conn_t *conn, conn_iovec_t *iov, int iovcnt )
+ * predict a reasonable output buffer size anyway -
deflatePending() does
+ * not account for consumed but not yet compressed
input, and adding up
+ * the deflateBound()s would be a tad *too*
pessimistic. */
+- buf_avail = total > WRITE_CHUNK_SIZE ? total :
WRITE_CHUNK_SIZE;
++ buf_avail = total > MAX_WRITE_CHUNK_SIZE ?
MAX_WRITE_CHUNK_SIZE :
++ total > WRITE_CHUNK_SIZE ? total :
WRITE_CHUNK_SIZE;
+ bc = nfmalloc( offsetof(buff_chunk_t, data) + buf_avail
);
+ bc->len = 0;
+ #ifndef HAVE_LIBZ
+diff --git a/src/sync.c b/src/sync.c
+index 8f2b4a2..eb9d263 100644
+--- a/src/sync.c
++++ b/src/sync.c
+@@ -333,7 +333,7 @@ copy_msg_bytes( char **out_ptr, const char *in_buf, int
*in_idx, int in_len, int
+ }
+
+ static int
+-copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
++copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t )
+ {
+ char *in_buf = vars->data.data;
+ int in_len = vars->data.len;
+@@ -361,7 +361,8 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars
)
+ goto nloop;
+ }
+ }
+- /* invalid message */
++ warn( "Warning: message %u from %s has incomplete header;
skipping.\n",
++ vars->msg->uid, str_ms[1-t] );
+ free( in_buf );
+ return 0;
+ oke:
+@@ -382,6 +383,12 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t
*vars )
+ }
+
+ vars->data.len = in_len + extra;
++ if ((uint)vars->data.len > INT_MAX) {
++ warn( "Warning: message %u from %s is too big after conversion;
skipping.\n",
++ vars->msg->uid, str_ms[1-t] );
++ free( in_buf );
++ return 0;
++ }
+ char *out_buf = vars->data.data = nfmalloc( vars->data.len );
+ idx = 0;
+ if (vars->srec) {
+@@ -423,9 +430,7 @@ msg_fetched( int sts, void *aux )
+ scr = (svars->drv[1-t]->get_caps( svars->ctx[1-t] ) / DRV_CRLF)
& 1;
+ tcr = (svars->drv[t]->get_caps( svars->ctx[t] ) / DRV_CRLF) & 1;
+ if (vars->srec || scr != tcr) {
+- if (!copy_msg_convert( scr, tcr, vars )) {
+- warn( "Warning: message %u from %s has
incomplete header.\n",
+- vars->msg->uid, str_ms[1-t] );
++ if (!copy_msg_convert( scr, tcr, vars, t )) {
+ vars->cb( SYNC_NOGOOD, 0, vars );
+ return;
+ }
diff -Nru isync-1.3.0/debian/patches/series isync-1.3.0/debian/patches/series
--- isync-1.3.0/debian/patches/series 2021-06-09 21:21:48.000000000 +0200
+++ isync-1.3.0/debian/patches/series 2022-06-28 15:58:18.000000000 +0200
@@ -1,3 +1,4 @@
01_sni.patch
reject-funny-mailbox-names--1.3.patch
fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
+CVE-2021-3657.patch
--- End Message ---
