Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 703630 (CVE-2019-19783) - <net-mail/cyrus-imapd-3.0.13: lmtpd component allows to create mailboxes with administrator privileges bypassing ACL checks (CVE-2019-19783)
Summary: <net-mail/cyrus-imapd-3.0.13: lmtpd component allows to create mailboxes with...
Status: RESOLVED FIXED
Alias: CVE-2019-19783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://www.cyrusimap.org/imap/downlo...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-23 21:50 UTC by GLSAMaker/CVETool Bot
Modified: 2020-09-17 23:15 UTC (History)
2 users (show)

See Also:
Package list:
net-mail/cyrus-imapd-3.0.13
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-23 21:50:07 UTC 
CVE-2019-19783 (https://nvd.nist.gov/vuln/detail/CVE-2019-19783):
  An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13,
  and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or
  certain non-default sieve options are enabled (2.x), a user with a mail
  account on the service can use a sieve script containing a fileinto
  directive to create any mailbox with administrator privileges, because of
  folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-30 17:54:24 UTC 
After discussion we (security) aren't interested in keeping this package alive.
@ Treecleaner(s): Please do your job (maybe someone else will step up and take care).
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-04-15 20:01:19 UTC 
Apparently it's been taken care of:


commit bccf2ea2f117c28889359760444e1740e96b7f97
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-04-09 16:07:45 +0200
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-04-09 16:07:45 +0200

    net-mail/cyrus-imapd: security bump to 3.0.13
    
    also fixes building with new versions of libcap and gcc-10
    
    Closes: https://bugs.gentoo.org/713728
    Closes: https://bugs.gentoo.org/713502
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Eray Aslan <eras@gentoo.org>
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 01:23:56 UTC 
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 4 Eray Aslan gentoo-dev 2020-04-22 10:31:23 UTC 
Arches, please test and mark stable
=net-mail/cyrus-imapd-3.0.13

Target Keywords = amd64 ~arm ~hppa ~ia64 ppc ppc64 ~sparc x86
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-26 23:47:50 UTC 
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-27 00:16:34 UTC 
@amd64: ping
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-05-06 07:27:07 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-08 06:38:59 UTC 
amd64 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 07:12:20 UTC 
@ppc64: ping
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:59:07 UTC 
This issue was resolved and addressed in
 GLSA 202006-23 at https://security.gentoo.org/glsa/202006-23
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2020-06-15 15:59:39 UTC 
re-opened for ppc64 and cleanup.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:03:23 UTC 
@ppc64: ping
Comment 13 ernsteiswuerfel archtester 2020-08-20 22:21:50 UTC 
cyrus-imapd-3.0.13 shows several build failures on ppc64, depending on USE-flags (e.g. bug #738276, bug #738278, bug #738280).
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-05 04:06:21 UTC 
ppc64 done

all arches done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-05 04:12:48 UTC 
Please cleanup.
Comment 16 Larry the Git Cow gentoo-dev 2020-09-08 06:40:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0da8073555542ada0b0053360f9e07285b01966c

commit 0da8073555542ada0b0053360f9e07285b01966c
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-09-08 06:40:32 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-09-08 06:40:32 +0000

    net-mail/cyrus-imapd: cleanup
    
    Bug: https://bugs.gentoo.org/703630
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/cyrus-imapd/Manifest                     |   2 -
 net-mail/cyrus-imapd/cyrus-imapd-3.0.10-r1.ebuild | 225 ----------------------
 net-mail/cyrus-imapd/cyrus-imapd-3.0.11.ebuild    | 225 ----------------------
 3 files changed, 452 deletions(-)
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-17 23:15:16 UTC 
Thanks! All done.