Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 798111 (CVE-2021-32056, CVE-2021-33582) - <net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities
Summary: <net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-32056, CVE-2021-33582
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 816903
Blocks:
  Show dependency tree
 
Reported: 2021-06-23 23:33 UTC by John Helmert III
Modified: 2022-05-10 16:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-23 23:33:37 UTC
CVE-2021-32056:

Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.


https://www.cyrusimap.org/imap/download/release-notes/3.2/x/3.2.7.html
https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.1.html

Fixes in 3.2.7 and 3.4.1, needs bump.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:27 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:36 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:34 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:39 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:44 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:37 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:59 UTC
Package list is empty or all packages have requested keywords.
Comment 8 John Helmert III gentoo-dev Security 2021-09-01 19:35:15 UTC
CVE-2021-33582:

Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
Comment 9 Larry the Git Cow gentoo-dev 2021-09-16 01:18:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05e63664ed98b45a24cb6cccac4c284ade728b4b

commit 05e63664ed98b45a24cb6cccac4c284ade728b4b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 01:14:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 01:17:35 +0000

    net-mail/cyrus-imapd: add 3.4.2
    
    Bug: https://bugs.gentoo.org/798111
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/cyrus-imapd/Manifest                 |   1 +
 net-mail/cyrus-imapd/cyrus-imapd-3.4.2.ebuild | 233 ++++++++++++++++++++++++++
 profiles/base/package.use.force               |   6 -
 3 files changed, 234 insertions(+), 6 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab88c8d3cfc31a6c437eef0ec4321728fff65ef

commit 8ab88c8d3cfc31a6c437eef0ec4321728fff65ef
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 01:14:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 01:17:34 +0000

    net-mail/cyrus-imapd: add 3.0.16
    
    Bug: https://bugs.gentoo.org/798111
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/cyrus-imapd/Manifest                  |   1 +
 net-mail/cyrus-imapd/cyrus-imapd-3.0.16.ebuild | 230 +++++++++++++++++++++++++
 2 files changed, 231 insertions(+)
Comment 10 John Helmert III gentoo-dev Security 2021-11-20 17:19:29 UTC
Please cleanup
Comment 11 Arthur Zamarin archtester gentoo-dev 2021-11-21 04:52:47 UTC
@ajak
After rerun, the testsuite failed for ppc64, so I reverted the stable for ppc64 (so we still wait for stable to cleanup)
Comment 12 John Helmert III gentoo-dev Security 2021-11-21 05:19:30 UTC
(In reply to Arthur Zamarin from comment #11)
> @ajak
> After rerun, the testsuite failed for ppc64, so I reverted the stable for
> ppc64 (so we still wait for stable to cleanup)

No worries!