Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: cyrus-im...@packages.debian.org, y...@debian.org Control: affects -1 + src:cyrus-imapd User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] There was a regression introduced by CVE-2024-34055 which breaks Cyrus-Imapd's murder (RC bug #1075853). [ Impact ] Installations with murder (more than one backend node) maybe broken. [ Tests ] No new test in these patches, however test and autopkgtest passed (https://salsa.debian.org/debian/cyrus-imapd/-/pipelines/708722) [ Risks ] Low risk, patch is not so big [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] I chose to keep patches as given in upstream release with upstream comments Best regards, Xavier
diff --git a/debian/changelog b/debian/changelog index 39736966..8b7809d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.6.1-4+deb12u3) bookworm; urgency=medium + + * Fix regression introduced in CVE-2024-34055 fix (Closes: #1075853) + + -- Yadd <y...@debian.org> Mon, 29 Jul 2024 12:43:50 +0400 + cyrus-imapd (3.6.1-4+deb12u2) bookworm-security; urgency=medium * Fix unbounded memory allocation (Closes: CVE-2024-34055) diff --git a/debian/patches/CVE-2024-34055-regressions-1.patch b/debian/patches/CVE-2024-34055-regressions-1.patch new file mode 100644 index 00000000..f0d4e80c --- /dev/null +++ b/debian/patches/CVE-2024-34055-regressions-1.patch @@ -0,0 +1,57 @@ +Description: Instance: check backend sync to mupdate during murder shutdown +Author: ellie timoney <el...@fastmail.com> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/846f1f49 +Forwarded: not-needed +Applied-Upstream: 3.6.6 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-07-29 + +--- a/cassandane/Cassandane/Instance.pm ++++ b/cassandane/Cassandane/Instance.pm +@@ -1378,6 +1378,38 @@ + return; + } + ++sub _check_mupdate ++{ ++ my ($self) = @_; ++ ++ my $mupdate_server = $self->{config}->get('mupdate_server'); ++ return if not $mupdate_server; # not in a murder ++ ++ my $serverlist = $self->{config}->get('serverlist'); ++ return if $serverlist; # don't sync mboxlist on frontends ++ ++ # Run ctl_mboxlist -m to sync backend mailboxes with mupdate. ++ # ++ # You typically run this from START, and we do, but at test start ++ # there's no mailboxes yet, so there's nothing to sync, and if ++ # something is broken it probably won't be detected. ++ my $basedir = $self->{basedir}; ++ eval { ++ $self->run_command({ ++ redirects => { stdout => "$basedir/ctl_mboxlist.out", ++ stderr => "$basedir/ctl_mboxlist.err", ++ }, ++ cyrus => 1, ++ }, 'ctl_mboxlist', '-m'); ++ }; ++ if ($@) { ++ my @err = slurp_file("$basedir/ctl_mboxlist.err"); ++ chomp for @err; ++ xlog "ctl_mboxlist -m failed: " . Dumper \@err; ++ return "unable to sync local mailboxes with mupdate"; ++ } ++} ++ + sub _check_sanity + { + my ($self) = @_; +@@ -1516,6 +1548,7 @@ + my @errors; + + push @errors, $self->_check_sanity(); ++ push @errors, $self->_check_mupdate(); + + xlog "stop $self->{description}: basedir $self->{basedir}"; + diff --git a/debian/patches/CVE-2024-34055-regressions-2.patch b/debian/patches/CVE-2024-34055-regressions-2.patch new file mode 100644 index 00000000..9ea66400 --- /dev/null +++ b/debian/patches/CVE-2024-34055-regressions-2.patch @@ -0,0 +1,142 @@ +Description: imapparse: add getmstring() for mupdate-specific parsing + The mupdate protocol uses LITERAL+ in server->client communications, whereas + in the IMAP protocol this is only permitted in client->server communications. + Adds a parser flag and corresponding macro to switch behaviours. + Fixes #4932 +Author: ellie timoney <el...@fastmail.com> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/e35707e7 +Forwarded: not-needed +Applied-Upstream: 3.6.6 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-07-29 + +--- a/imap/imapparse.c ++++ b/imap/imapparse.c +@@ -153,7 +153,10 @@ + buf_reset(buf); + c = getint32(pin, &len); + +- if (pin->isclient && c == '+') { ++ /* For IMAP, LITERAL+ is only valid from client->server. For MUPDATE ++ * it's valid in either direction. ++ */ ++ if ((pin->isclient || (flags & GXS_MUPDATE)) && c == '+') { + /* LITERAL- says maximum size is 4096! */ + if (lminus && len > 4096) { + /* Fail per RFC 7888, Section 4, choice 2 */ +--- a/imap/imapparse.h ++++ b/imap/imapparse.h +@@ -59,6 +59,7 @@ + GXS_LITERAL = (1<<2), /* result may be {N}literal */ + GXS_NIL = (1<<3), /* result may be the special atom NIL */ + GXS_BINARY = (1<<4), /* result may contain embedded NULs */ ++ GXS_MUPDATE = (1<<5), /* (non-IMAP) accept LITERAL+ as client */ + + IMAP_ASTRING = GXS_ATOM|GXS_QUOTED|GXS_LITERAL, + IMAP_BIN_ASTRING = IMAP_ASTRING|GXS_BINARY, +@@ -70,6 +71,8 @@ + /* note: there's some consistency issues here... the special + * value "NIL" must be quoted to get returned as a string */ + IMAP_NASTRING = GXS_NIL|GXS_ATOM|GXS_QUOTED|GXS_LITERAL, ++ ++ MUPDATE_STRING = IMAP_STRING|GXS_MUPDATE, + }; + + int getxstring(struct protstream *pin, struct protstream *pout, +@@ -81,6 +84,7 @@ + #define getqstring(pin, pout, buf) getxstring((pin), (pout), (buf), IMAP_QSTRING) + #define getstring(pin, pout, buf) getxstring((pin), (pout), (buf), IMAP_STRING) + #define getnastring(pin, pout, buf) getxstring((pin), (pout), (buf), IMAP_NASTRING) ++#define getmstring(pin, pout, buf) getxstring((pin), (pout), (buf), MUPDATE_STRING) + #define getcharset(pin, pout, buf) getxstring((pin), (pout), (buf), GXS_ATOM|GXS_QUOTED) + int getint32(struct protstream *pin, int *num); + int getint64(struct protstream *pin, int64_t *num); +--- a/imap/mupdate-client.c ++++ b/imap/mupdate-client.c +@@ -620,7 +620,7 @@ + switch(handle->cmd.s[0]) { + case 'B': + if (!strncmp(handle->cmd.s, "BAD", 3)) { +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + CHECKNEWLINE(handle, ch); + + syslog(LOG_ERR, "mupdate BAD response: %s", handle->arg1.s); +@@ -629,7 +629,7 @@ + } + goto done; + } else if (!strncmp(handle->cmd.s, "BYE", 3)) { +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + CHECKNEWLINE(handle, ch); + + syslog(LOG_ERR, "mupdate BYE response: %s", handle->arg1.s); +@@ -642,7 +642,7 @@ + + case 'D': + if (!strncmp(handle->cmd.s, "DELETE", 6)) { +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + CHECKNEWLINE(handle, ch); + + memset(&box, 0, sizeof(box)); +@@ -662,21 +662,21 @@ + case 'M': + if (!strncmp(handle->cmd.s, "MAILBOX", 7)) { + /* Mailbox Name */ +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + if (ch != ' ') { + r = MUPDATE_PROTOCOL_ERROR; + goto done; + } + + /* Server */ +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg2)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg2)); + if (ch != ' ') { + r = MUPDATE_PROTOCOL_ERROR; + goto done; + } + + /* ACL */ +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg3)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg3)); + CHECKNEWLINE(handle, ch); + + /* Handle mailbox command */ +@@ -695,7 +695,7 @@ + goto badcmd; + case 'N': + if (!strncmp(handle->cmd.s, "NO", 2)) { +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + CHECKNEWLINE(handle, ch); + + syslog(LOG_DEBUG, "mupdate NO response: %s", handle->arg1.s); +@@ -709,7 +709,7 @@ + case 'O': + if (!strncmp(handle->cmd.s, "OK", 2)) { + /* It's all good, grab the attached string and move on */ +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + + CHECKNEWLINE(handle, ch); + if (wait_for_ok) { +@@ -722,14 +722,14 @@ + case 'R': + if (!strncmp(handle->cmd.s, "RESERVE", 7)) { + /* Mailbox Name */ +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg1)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg1)); + if (ch != ' ') { + r = MUPDATE_PROTOCOL_ERROR; + goto done; + } + + /* Server */ +- ch = getstring(handle->conn->in, handle->conn->out, &(handle->arg2)); ++ ch = getmstring(handle->conn->in, handle->conn->out, &(handle->arg2)); + CHECKNEWLINE(handle, ch); + + /* Handle reserve command */ diff --git a/debian/patches/CVE-2024-34055-regressions-3.patch b/debian/patches/CVE-2024-34055-regressions-3.patch new file mode 100644 index 00000000..e2a6360e --- /dev/null +++ b/debian/patches/CVE-2024-34055-regressions-3.patch @@ -0,0 +1,26 @@ +Description: sync_sieve_upload() always initialize buffer with script content +Author: Ken Murchison <mu...@fastmail.com> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/00d0646e +Forwarded: not-needed +Applied-Upstream: 3.6.6 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-07-29 + +--- a/imap/sync_support.c ++++ b/imap/sync_support.c +@@ -3438,7 +3438,6 @@ + snprintf(name, sizeof(name), "%.*s", (int) (ext - fname), fname); + r = sievedb_lookup_name(db, name, &sdata, 0); + if (r == CYRUSDB_NOTFOUND) { +- buf_init_ro(&buf, content, len); + sdata->name = name; + } + else if (r) { +@@ -3446,6 +3445,7 @@ + goto done; + } + ++ buf_init_ro(&buf, content, len); + r = sieve_script_store(mailbox, sdata, &buf); + + done: diff --git a/debian/patches/series b/debian/patches/series index a2789c66..7cc24b60 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,6 @@ 0020_fix-cyr_cd-shebang.patch fix-upgrade-versions.patch CVE-2024-34055.patch +CVE-2024-34055-regressions-1.patch +CVE-2024-34055-regressions-2.patch +CVE-2024-34055-regressions-3.patch
