Bug 798111 (CVE-2021-32056, CVE-2021-33582)

Summary:	<net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	joost, maintainer-needed, sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	816903
Bug Blocks:

Description John Helmert III archtester

2021-06-23 23:33:37 UTC

CVE-2021-32056:

Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.


https://www.cyrusimap.org/imap/download/release-notes/3.2/x/3.2.7.html
https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.1.html

Fixes in 3.2.7 and 3.4.1, needs bump.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:27 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:36 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:34 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:44 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:37 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:59 UTC

Package list is empty or all packages have requested keywords.

Comment 8 John Helmert III archtester

2021-09-01 19:35:15 UTC

CVE-2021-33582:

Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.

Comment 9 Larry the Git Cow gentoo-dev

2021-09-16 01:18:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05e63664ed98b45a24cb6cccac4c284ade728b4b

commit 05e63664ed98b45a24cb6cccac4c284ade728b4b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 01:14:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 01:17:35 +0000

    net-mail/cyrus-imapd: add 3.4.2
    
    Bug: https://bugs.gentoo.org/798111
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/cyrus-imapd/Manifest                 |   1 +
 net-mail/cyrus-imapd/cyrus-imapd-3.4.2.ebuild | 233 ++++++++++++++++++++++++++
 profiles/base/package.use.force               |   6 -
 3 files changed, 234 insertions(+), 6 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab88c8d3cfc31a6c437eef0ec4321728fff65ef

commit 8ab88c8d3cfc31a6c437eef0ec4321728fff65ef
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 01:14:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 01:17:34 +0000

    net-mail/cyrus-imapd: add 3.0.16
    
    Bug: https://bugs.gentoo.org/798111
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/cyrus-imapd/Manifest                  |   1 +
 net-mail/cyrus-imapd/cyrus-imapd-3.0.16.ebuild | 230 +++++++++++++++++++++++++
 2 files changed, 231 insertions(+)

Comment 10 John Helmert III archtester

2021-11-20 17:19:29 UTC

Please cleanup

Comment 11 Arthur Zamarin archtester

2021-11-21 04:52:47 UTC

@ajak
After rerun, the testsuite failed for ppc64, so I reverted the stable for ppc64 (so we still wait for stable to cleanup)

Comment 12 John Helmert III archtester

2021-11-21 05:19:30 UTC

(In reply to Arthur Zamarin from comment #11)
> @ajak
> After rerun, the testsuite failed for ppc64, so I reverted the stable for
> ppc64 (so we still wait for stable to cleanup)

No worries!

Comment 13 J. Roeleveld 2024-02-06 08:30:36 UTC

Portage tree only contains version "3.4.5-r1"
I think this can be closed?

Comment 14 Hans de Graaff gentoo-dev

2024-02-06 10:06:00 UTC

(In reply to J. Roeleveld from comment #13)
> Portage tree only contains version "3.4.5-r1"
> I think this can be closed?

No, the security team still needs to decide whether to publish a GLSA for this issue. (Yes, we are behind but currently working on the backlog).