From ${URL} : imapsync http://imapsync.lamiral.info/ Title: imapsync default version check with http://imapsync.lamiral.info information leakage (CVE-2013-4279) Threat: Availability: no timeout so an attacker simply sends a slow response Threat: Confidentiality: connects to http://imapsync.lamiral.info and sends version # and operating system name and person version Impact: Moderate (Medium) CVSS2: 6.4/AV:N/AC:L/Au:N/C:P/I:P/A:P Affected: imapsync version 1.580 and earlier Description: By default imapsync runs a "release check" when executed, this causes imapsync to connect to http://imapsync.lamiral.info and send information about the version of imapsync, the operating system and perl. This feature is not well documented. It is enabled by default. The only hint it exists is the "--noreleasecheck" which is not documented anywhere other then running the program with the help option. Affected code: sub imapsync_version_public { my $local_version = imapsync_version(); my $imapsync_basename = imapsync_basename(); my $agent_info = "$OSNAME system, perl " . sprintf("%vd", $PERL_VERSION) . ", Mail::IMAPClient $Mail::IMAPClient::VERSION" . " $imapsync_basename"; my $sock = IO::Socket::INET->new( PeerAddr => 'imapsync.lamiral.info', PeerPort => '80', Proto => 'tcp' ) ; return( 'unknown' ) if not $sock ; print $sock "GET /prj/imapsync/VERSION HTTP/1.0\n", "User-Agent: imapsync/$local_version ($agent_info)\n", "Host: ks.lamiral.info\n\n"; my @line = <$sock>; close($sock); my $last_release = $line[-1]; chomp($last_release); return($last_release); } Suggested solution: 1) $releasecheck should be changed to default to 0 (False) and convert - --noreleasecheck to --releasecheck 2) this feature should use HTTPS to prevent information leakage to attackers 3) or disable this feature entirely Workaround: Make sure you also use --noreleasecheck when running imapsync (maybe alias the full command?). Timeline: 2013-Aug-22: notified upstream vendor at gilles.lamiral@...oste.net 2014-Jan-16: public release (what can I say, I got busy). External links: Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1000215 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Version 1.592 was released. And there were some changes "to easily switch on --noreleasecheck by default" till 1.584-r1 in portage so please bump to last version please.
CVE-2013-4279 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4279): imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.
As stated in comment 1. The fix for this is being included as part of: Usability: Updated the code to easily switch on --noreleasecheck by default but allowing --releasecheck (some users want this feature). - See more at: http://imapsync.lamiral.info/#sthash.SkIF4c8j.dpuf If this this is included in Version 1.592. There is a mother bug that was just filed for that version Bug #522458- Stabilization can be part of that bug as it has this option included, and if we set it to --noreleasecheck by default we will be covered.
Sorry wrong bug: 514478 is where the version is.
GLSA Vote: No Thank you all. Closing as noglsa.
