Discussion:
Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
(too old to reply)
Yadd
2021-05-10 17:40:02 UTC
Permalink
Package: release.debian.org
Severity: normal
User: ***@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ***@debian.org

Please unblock package cyrus-imapd

[ Reason ]
Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated
users to bypass intended access restrictions on server annotations and
consequently cause replication to stall.

[ Impact ]
Security issue (not yet tagged by Security Team

[ Tests ]
No changes in test

[ Risks ]
Patch seems trivial, just a better permission check

[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing

Cheers,
Yadd (from hospital ;-))

unblock cyrus-imapd/3.2.6-2
Debian Bug Tracking System
2021-05-10 20:10:01 UTC
Permalink
tags -1 moreinfo confirmed
Bug #988332 [release.debian.org] [pre-approval] unblock: cyrus-imapd/3.2.6-2
Added tag(s) confirmed and moreinfo.
--
988332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988332
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Sebastian Ramacher
2021-05-10 20:10:01 UTC
Permalink
Control: tags -1 moreinfo confirmed
Post by Yadd
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package cyrus-imapd
Please go ahead with the upload and remove the moreinfo tag once the
package is available in unstable.
Post by Yadd
[ Reason ]
Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated
users to bypass intended access restrictions on server annotations and
consequently cause replication to stall.
[ Impact ]
Security issue (not yet tagged by Security Team
[ Tests ]
No changes in test
[ Risks ]
Patch seems trivial, just a better permission check
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd (from hospital ;-))
Get well soon

Cheers
Post by Yadd
unblock cyrus-imapd/3.2.6-2
diff --git a/debian/changelog b/debian/changelog
index bc383a9c..150929df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cyrus-imapd (3.2.6-2) unstable; urgency=medium
+
+ * Update gbp.conf for Bullseye branch
+ * annotate: don't allow everyone to write shared server entries (Closes: CVE-2021-32056)
+
+
cyrus-imapd (3.2.6-1) unstable; urgency=medium
* New upstream version 3.2.6
diff --git a/debian/gbp.conf b/debian/gbp.conf
index c747fcb7..ee87ac45 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
[DEFAULT]
-debian-branch = master
+debian-branch = bullseye
debian-tag = debian/%(version)s
-upstream-branch = upstream
+upstream-branch = upstream-bullseye
upstream-tag = upstream/%(version)s
pristine-tar = True
diff --git a/debian/patches/CVE-2021-32056.patch b/debian/patches/CVE-2021-32056.patch
new file mode 100644
index 00000000..9a50abe1
--- /dev/null
+++ b/debian/patches/CVE-2021-32056.patch
@@ -0,0 +1,50 @@
+Description: annotate: don't allow everyone to write shared server entries
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056
+Forwarded: not-needed
+Last-Update: 2021-05-10
+
+--- a/imap/annotate.c
++++ b/imap/annotate.c
+
+ keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key));
+
+- if (mailbox) {
+- struct annotate_metadata oldmdata;
+- r = read_old_value(d, key, keylen, &oldval, &oldmdata);
+- if (r) goto out;
++ struct annotate_metadata oldmdata;
++ r = read_old_value(d, key, keylen, &oldval, &oldmdata);
++ if (r) goto out;
++
++ /* if the value is identical, don't touch the mailbox */
++ if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
++ goto out;
+
+- /* if the value is identical, don't touch the mailbox */
+- if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
+- goto out;
++ if (!maywrite) {
++ r = IMAP_PERMISSION_DENIED;
++ if (r) goto out;
++ }
+
++ if (mailbox) {
+ if (!ignorequota) {
+ quota_t qdiffs[QUOTA_NUMRESOURCES] = QUOTA_DIFFS_DONTCARE_INITIALIZER;
+ qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len;
+ if (r) goto out;
+ }
+
+- if (!maywrite) {
+- r = IMAP_PERMISSION_DENIED;
+- if (r) goto out;
+- }
+-
+ /* do the annot-changed here before altering the DB */
+ mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, silent);
+
diff --git a/debian/patches/series b/debian/patches/series
index 3fab10aa..27fc0ec9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
0011-Fix-extra-libpci-in-SNMP_LIBS.patch
0012-Use-UnicodeData.txt-from-system.patch
0018-increase-test-timeout.patch
+CVE-2021-32056.patch
--
Sebastian Ramacher
Debian Bug Tracking System
2021-05-11 14:20:01 UTC
Permalink
Your message dated Tue, 11 May 2021 14:12:37 +0000
with message-id <E1lgT7l-00085T-***@respighi.debian.org>
and subject line unblock cyrus-imapd
has caused the Debian Bug report #988332,
regarding unblock: cyrus-imapd/3.2.6-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
988332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988332
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...