798111 – (CVE-2021-32056, CVE-2021-33582) <net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities

Bug 798111 (CVE-2021-32056, CVE-2021-33582) - <net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities

Summary: <net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2021-32056, CVE-2021-33582

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	816903
Blocks:
	Show dependency tree

Reported:	2021-06-23 23:33 UTC by John Helmert III
Modified:	2024-02-06 10:06 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-06-23 23:33:37 UTC

CVE-2021-32056:

Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.


https://www.cyrusimap.org/imap/download/release-notes/3.2/x/3.2.7.html
https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.1.html

Fixes in 3.2.7 and 3.4.1, needs bump.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:27 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:36 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:34 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:44 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:37 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:59 UTC

Package list is empty or all packages have requested keywords.

Comment 8 John Helmert III archtester

2021-09-01 19:35:15 UTC

CVE-2021-33582:

Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.

Comment 9 Larry the Git Cow gentoo-dev

2021-09-16 01:18:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05e63664ed98b45a24cb6cccac4c284ade728b4b

commit 05e63664ed98b45a24cb6cccac4c284ade728b4b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 01:14:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 01:17:35 +0000

    net-mail/cyrus-imapd: add 3.4.2
    
    Bug: https://bugs.gentoo.org/798111
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/cyrus-imapd/Manifest                 |   1 +
 net-mail/cyrus-imapd/cyrus-imapd-3.4.2.ebuild | 233 ++++++++++++++++++++++++++
 profiles/base/package.use.force               |   6 -
 3 files changed, 234 insertions(+), 6 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab88c8d3cfc31a6c437eef0ec4321728fff65ef

commit 8ab88c8d3cfc31a6c437eef0ec4321728fff65ef
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 01:14:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 01:17:34 +0000

    net-mail/cyrus-imapd: add 3.0.16
    
    Bug: https://bugs.gentoo.org/798111
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/cyrus-imapd/Manifest                  |   1 +
 net-mail/cyrus-imapd/cyrus-imapd-3.0.16.ebuild | 230 +++++++++++++++++++++++++
 2 files changed, 231 insertions(+)

Comment 10 John Helmert III archtester

2021-11-20 17:19:29 UTC

Please cleanup

Comment 11 Arthur Zamarin archtester

2021-11-21 04:52:47 UTC

@ajak
After rerun, the testsuite failed for ppc64, so I reverted the stable for ppc64 (so we still wait for stable to cleanup)

Comment 12 John Helmert III archtester

2021-11-21 05:19:30 UTC

(In reply to Arthur Zamarin from comment #11)
> @ajak
> After rerun, the testsuite failed for ppc64, so I reverted the stable for
> ppc64 (so we still wait for stable to cleanup)

No worries!

Comment 13 J. Roeleveld 2024-02-06 08:30:36 UTC

Portage tree only contains version "3.4.5-r1"
I think this can be closed?

Comment 14 Hans de Graaff gentoo-dev

2024-02-06 10:06:00 UTC

(In reply to J. Roeleveld from comment #13)
> Portage tree only contains version "3.4.5-r1"
> I think this can be closed?

No, the security team still needs to decide whether to publish a GLSA for this issue. (Yes, we are behind but currently working on the backlog).