Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
On Fri, Dec 20, 2019 at 10:24:20PM +0100, Salvatore Bonaccorso wrote: > > And released as DSA 4591-1. Note: The patch was not upstream commited > at point of writing this. And I see Mike did as well release for LTS. > I saw that Mike did updates for jessie (LTS) and wheezy (ELTS). > > > unstable would need an update as well yet. > > > > > Of course. > > Ideally this happen soon, but the RC bug is enough to mark the > 'stable' -> 'testing' regression. Just let me know if any of you can > do it or if you would prefer a NMU with same patch (both approaches > works for me). > I have made an upload to unstable of version 2.1.27+dfsg-2 with the patch that fixes the CVE. > > > Can you later import then the changes in the packaging repository in > > > the appropriate branches? > > > > > I could manage that in the coming days. Unless Ondrej or someone else > > gets to it first. > > Thanks! > As a summary, here is the state of cyrus-sasl2 in the various release and the associated Git branches in Salsa: sid: up to date on master branch, Debian version 2.1.27+dfsg-2 has been uploaded bullseye: waiting on transition of package from sid, no associated branch in Salsa buster: new branch, master-buster*, contains new commit representing Debian version 2.1.27+dfsg-1+deb10u1 stretch: new branch, master-stretch*, contains two (2) new commits representing Debian versions 2.1.27~101-g0780600+dfsg-3 (NMU in 2017 which as not recorded follwing 2.1.27~101-g0780600+dfsg-2) and Debian version 2.1.27~101-g0780600+dfsg-3+deb9u1 with the patch for this CVE jessie: history has diverged; there is already an old commit and tag for Debian version 2.1.26.dfsg1-13+deb8u2 from 2016 which collides with Mike's recent 2.1.26.dfsg1-13+deb8u2 jessie update, so I have not done anything with this wheezy: up to date on existing master-wheezy branch based on Mike's 2.1.25.dfsg1-6+deb7u2 ELTS updates * As far as the new master-buster and master-stretch branches, I only made those branches to record the changes which have already been uploaded. In particular, I did not update debian/gbp.conf to note the new branch names; such a change will be required if we decide to make further revisions along either of the new branches and then build from the Git repository. I have pushed tags for each of the above versions as well (except the jessie version, as noted). I include all of this information so that the cyrus-sasl2 in particular is made aware of all the changes I have pushed. Regards, -Roberto -- Roberto C. Sánchez
Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
Hi Roberto, On Fri, Dec 20, 2019 at 10:37:50AM -0500, Roberto C. Sánchez wrote: > On Fri, Dec 20, 2019 at 08:36:00AM +0100, Salvatore Bonaccorso wrote: > > Hi Roberto, > > > > On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote: > > > On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > > > > > > > > The following vulnerability was published for cyrus-sasl2. > > > > > > > > CVE-2019-19906[0]: > > > > Off by one in _sasl_add_string function > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > > Hi Team, > > > > > > Is anybody already working on this update? If not, I can start on it > > > possibly tomorrow or perhaps the day after. > > > > > > Salvatore, > > > > > > If I (or someone else on the team) prepares the upload, do we go ahead > > > and make the upload then let the security team handle the DSA > > > publication? > > > > I already started yesterday, and have buster and stretch packages, > > will likely release the DSA later today or tomorrow. So far tested > > just lightly for stretch but will double check explicitly against > > openldap. > > > Oh! That's excellent. And released as DSA 4591-1. Note: The patch was not upstream commited at point of writing this. And I see Mike did as well release for LTS. > > unstable would need an update as well yet. > > > Of course. Ideally this happen soon, but the RC bug is enough to mark the 'stable' -> 'testing' regression. Just let me know if any of you can do it or if you would prefer a NMU with same patch (both approaches works for me). > > Can you later import then the changes in the packaging repository in > > the appropriate branches? > > > I could manage that in the coming days. Unless Ondrej or someone else > gets to it first. Thanks! Regards, Salvatore
Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
On Fri, Dec 20, 2019 at 08:36:00AM +0100, Salvatore Bonaccorso wrote: > Hi Roberto, > > On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote: > > On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > > > > > > The following vulnerability was published for cyrus-sasl2. > > > > > > CVE-2019-19906[0]: > > > Off by one in _sasl_add_string function > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > Hi Team, > > > > Is anybody already working on this update? If not, I can start on it > > possibly tomorrow or perhaps the day after. > > > > Salvatore, > > > > If I (or someone else on the team) prepares the upload, do we go ahead > > and make the upload then let the security team handle the DSA > > publication? > > I already started yesterday, and have buster and stretch packages, > will likely release the DSA later today or tomorrow. So far tested > just lightly for stretch but will double check explicitly against > openldap. > Oh! That's excellent. > unstable would need an update as well yet. > Of course. > Can you later import then the changes in the packaging repository in > the appropriate branches? > I could manage that in the coming days. Unless Ondrej or someone else gets to it first. Regards, -Roberto -- Roberto C. Sánchez
Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
Hi Roberto, On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote: > On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > > > > The following vulnerability was published for cyrus-sasl2. > > > > CVE-2019-19906[0]: > > Off by one in _sasl_add_string function > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > Hi Team, > > Is anybody already working on this update? If not, I can start on it > possibly tomorrow or perhaps the day after. > > Salvatore, > > If I (or someone else on the team) prepares the upload, do we go ahead > and make the upload then let the security team handle the DSA > publication? I already started yesterday, and have buster and stretch packages, will likely release the DSA later today or tomorrow. So far tested just lightly for stretch but will double check explicitly against openldap. unstable would need an update as well yet. Can you later import then the changes in the packaging repository in the appropriate branches? Regards, Salvatore
Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > > The following vulnerability was published for cyrus-sasl2. > > CVE-2019-19906[0]: > Off by one in _sasl_add_string function > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > Hi Team, Is anybody already working on this update? If not, I can start on it possibly tomorrow or perhaps the day after. Salvatore, If I (or someone else on the team) prepares the upload, do we go ahead and make the upload then let the security team handle the DSA publication? Regards, -Roberto -- Roberto C. Sánchez
Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
Control: tags -1 + patch Hi, On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > Source: cyrus-sasl2 > Version: 2.1.27+dfsg-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587 > Control: found -1 2.1.27~101-g0780600+dfsg-3 > > Hi, > > The following vulnerability was published for cyrus-sasl2. > > CVE-2019-19906[0]: > Off by one in _sasl_add_string function > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-19906 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906 > [1] https://github.com/cyrusimap/cyrus-sasl/issues/587 Attached patch for this issue. Regards, Salvatore Description: CVE-2019-19906: Off-by-one in _sasl_add_string function Origin: vendor Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587 Bug-Debian: https://bugs.debian.org/947043 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906 Author: Stephan Zeisberg Reviewed-by: Salvatore Bonaccorso Last-Update: 2019-12-19 --- a/lib/common.c +++ b/lib/common.c @@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t if (add==NULL) add = "(null)"; - addlen=strlen(add); /* only compute once */ + addlen=strlen(add)+1; /* only compute once */ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) return SASL_NOMEM;
Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function
Source: cyrus-sasl2 Version: 2.1.27+dfsg-1 Severity: grave Tags: security upstream Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587 Control: found -1 2.1.27~101-g0780600+dfsg-3 Hi, The following vulnerability was published for cyrus-sasl2. CVE-2019-19906[0]: Off by one in _sasl_add_string function If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906 [1] https://github.com/cyrusimap/cyrus-sasl/issues/587 Regards, Salvatore