Your message dated Thu, 18 Apr 2019 13:26:00 +0000 with message-id <c9d0f5c8-cab8-7a2c-99a0-b05e3c429...@thykier.net> and subject line Re: Bug#927360: unblock: dovecot/1:2.3.4.1-4 has caused the Debian Bug report #927360, regarding unblock: dovecot/1:2.3.4.1-4 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927360: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927360 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Please unblock package dovecot Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to processing of invalid external input. The issue is known as CVE-2019-10691[1], and was fixed in the Debian package by backporting the upstream fix. Full source debdiff attached. Regards, Apollon [1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html unblock dovecot/1:2.3.4.1-4diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog --- dovecot-2.3.4.1/debian/changelog 2019-03-25 23:06:01.000000000 +0200 +++ dovecot-2.3.4.1/debian/changelog 2019-04-18 10:21:19.000000000 +0300 @@ -1,3 +1,9 @@ +dovecot (1:2.3.4.1-4) unstable; urgency=high + + * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691) + + -- Apollon Oikonomopoulos <apoi...@debian.org> Thu, 18 Apr 2019 10:21:19 +0300 + dovecot (1:2.3.4.1-3) unstable; urgency=high * [07c9212] Fix two buffer overflows when reading oversized FTS headers diff -Nru dovecot-2.3.4.1/debian/patches/CVE-2019-10691 dovecot-2.3.4.1/debian/patches/CVE-2019-10691 --- dovecot-2.3.4.1/debian/patches/CVE-2019-10691 1970-01-01 02:00:00.000000000 +0200 +++ dovecot-2.3.4.1/debian/patches/CVE-2019-10691 2019-04-18 10:21:19.000000000 +0300 @@ -0,0 +1,66 @@ +From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tu...@open-xchange.com> +Date: Tue, 2 Apr 2019 13:09:48 +0300 +Subject: [PATCH 1/2] lib: json - Escape invalid UTF-8 as unicode bytes + +This prevents dovecot from crashing if invalid UTF-8 input +is given. +--- + src/lib/json-parser.c | 12 ++++++++---- + src/lib/test-json-parser.c | 8 ++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c +index 677091d64..e7846a329 100644 +--- a/src/lib/json-parser.c ++++ b/src/lib/json-parser.c +@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s + + for (i = 0; i < size;) { + bytes = uni_utf8_get_char_n(src+i, size-i, &chr); +- /* refuse to add invalid data */ +- i_assert(bytes > 0 && uni_is_valid_ucs4(chr)); +- json_append_escaped_ucs4(dest, chr); +- i += bytes; ++ if (bytes > 0 && uni_is_valid_ucs4(chr)) { ++ json_append_escaped_ucs4(dest, chr); ++ i += bytes; ++ } else { ++ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8, ++ UTF8_REPLACEMENT_CHAR_LEN); ++ i++; ++ } + } + } +diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c +index bae6fb202..9ce1e489b 100644 +--- a/src/lib/test-json-parser.c ++++ b/src/lib/test-json-parser.c +@@ -267,20 +267,20 @@ static void test_json_append_escaped(void) + string_t *str = t_str_new(32); + + test_begin("json_append_escaped()"); +- json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7"); +- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); ++ json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"); ++ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); + test_end(); + } + + static void test_json_append_escaped_data(void) + { + static const unsigned char test_input[] = +- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7"; ++ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"; + string_t *str = t_str_new(32); + + test_begin("json_append_escaped()"); + json_append_escaped_data(str, test_input, sizeof(test_input)-1); +- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); ++ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); + test_end(); + } + +-- +2.11.0 + diff -Nru dovecot-2.3.4.1/debian/patches/series dovecot-2.3.4.1/debian/patches/series --- dovecot-2.3.4.1/debian/patches/series 2019-03-25 23:06:01.000000000 +0200 +++ dovecot-2.3.4.1/debian/patches/series 2019-04-18 10:21:19.000000000 +0300 @@ -10,4 +10,5 @@ lib-master-test-event-stats-Use-PRIu64-format.patch avoid-double-closing-mysql.patch CVE-2019-7524 +CVE-2019-10691 debian-changessignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Apollon Oikonomopoulos: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package dovecot > > Dovecot 1:2.3.4.1-4, already in unstable, fixes a crash related to > processing of invalid external input. The issue is known as > CVE-2019-10691[1], and was fixed in the Debian package by backporting > the upstream fix. > > Full source debdiff attached. > > Regards, > Apollon > > [1] https://dovecot.org/pipermail/dovecot/2019-April/115687.html > > unblock dovecot/1:2.3.4.1-4 > Unblocked, thanks. ~Niels
--- End Message ---