Bug 25134

Summary: cyrus-imapd new security issue CVE-2019-11356
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, mhrambo3501, sysadmin-bugs, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Source RPM: cyrus-imapd-2.5.11-7.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-07-15 19:15:28 CEST 
RedHat has issued an advisory today (July 15):
https://access.redhat.com/errata/RHSA-2019:1771

The issue is fixed upstream in 2.5.13.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-07-15 19:15:35 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Lewis Smith 2019-07-16 21:01:28 CEST

Assignee: bugsquad => pkg-bugs

Comment 1 Mike Rambo 2019-07-18 16:04:35 CEST 
Cauldron updated to version 2.5.13.

Patched package uploaded for Mageia 7 and Mageia 6.

Advisory:
========================

Updated cyrus-imapd package fixes security vulnerability:

It was discovered that cyrus-imapd had a buffer overflow in CalDAV request handling triggered by a long iCalendar property name (CVE-2019-11356).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11356
https://access.redhat.com/errata/RHSA-2019:1771
========================

Updated packages in core/updates_testing:
========================
cyrus-imapd-2.5.11-7.1.mga7.x86_64.rpm
lib64cyrus-imapd0-2.5.11-7.1.mga7.x86_64.rpm
lib64cyrus-imapd-devel-2.5.11-7.1.mga7.x86_64.rpm
perl-Cyrus-2.5.11-7.1.mga7.x86_64.rpm

from cyrus-imapd-2.5.11-7.1.mga7.src.rpm
  
cyrus-imapd-2.5.11-1.1.mga6.x86_64.rpm
lib64cyrus-imapd0-2.5.11-1.1.mga6.x86_64.rpm
lib64cyrus-imapd-devel-2.5.11-1.1.mga6.x86_64.rpm
perl-Cyrus-2.5.11-1.1.mga6.x86_64.rpm

from cyrus-imapd-2.5.11-1.1.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=16823#c12

CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Mike Rambo 2019-07-18 16:06:47 CEST

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2019-07-19 10:23:29 CEST 
MGA6-64 Plasma on Lenovo B50
No installation issues.
Following testproedure above, first made user member of postfix group, rebooted, then at CLI:
# systemctl start cyrus-imapd.service
# systemctl -l status cyrus-imapd.service
● cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; enabled; vendor preset: enabled)
   Active: active (running) since vr 2019-07-19 10:02:37 CEST; 3min 19s ago
  Process: 1351 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS)
 Main PID: 1900 (cyrus-master)
   CGroup: /system.slice/cyrus-imapd.service
           ├─1900 /usr/lib/cyrus-imapd/cyrus-master
           ├─1998 idled
           ├─2000 imapd
           ├─2001 imapd
           ├─2002 imapd
           ├─2003 imapd
           ├─2004 imapd
           ├─2005 imapd -s
           ├─2006 pop3d
           ├─2007 pop3d
           ├─2008 pop3d
           ├─2009 pop3d -s
           ├─2010 lmtpd
           ├─2011 imapd
           ├─2012 imapd
           ├─2013 imapd
           ├─2014 imapd
           ├─2015 imapd
           ├─2016 imapd -s
           ├─2017 pop3d
           ├─2018 pop3d
           ├─2019 pop3d
           └─2020 pop3d -s

jul 19 10:02:26 mach5.hviaene.thuis systemd[1]: Starting Cyrus-imapd IMAP/POP3 email server...
jul 19 10:02:28 mach5.hviaene.thuis su[1375]: (to cyrus) root on none
jul 19 10:02:37 mach5.hviaene.thuis systemd[1]: Started Cyrus-imapd IMAP/POP3 email server.
jul 19 10:02:39 mach5.hviaene.thuis ctl_cyrusdb[1908]: skiplist: clean shutdown file missing, updating recovery stamp
jul 19 10:02:39 mach5.hviaene.thuis ctl_cyrusdb[1908]: recovering cyrus databases
jul 19 10:02:40 mach5.hviaene.thuis ctl_cyrusdb[1908]: done recovering cyrus databases
jul 19 10:02:41 mach5.hviaene.thuis master[1900]: unable to setsocketopt(IP_TOS) service lmtpunix/unix: Operation not supported                                          
jul 19 10:02:41 mach5.hviaene.thuis ctl_cyrusdb[1999]: checkpointing cyrus databases   

     $  telnet localhost 143
Trying ::1...
Connected to localhost (::1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] mach5.hviaene.thuis Cyrus IMAP 2.5.11-Kolab-2.5.11-1.1.mga6 server ready
^]
telnet> quit
Connection closed.

And if someone is struggling like I was on an AZERTY keyboard, you have to press and hold CTRL-ALTGR and then hit the ] key.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
CC: (none) => herman.viaene

Comment 3 Herman Viaene 2019-07-19 10:49:41 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Following same steps as in Comment 2:
# systemctl start cyrus-imapd.service
# systemctl -l status cyrus-imapd.service
● cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-07-19 10:45:48 CEST; 18s ago
  Process: 9329 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS)
 Main PID: 9394 (cyrus-master)
   Memory: 34.4M
   CGroup: /system.slice/cyrus-imapd.service
           ├─9394 /usr/lib/cyrus-imapd/cyrus-master
           ├─9398 idled
           ├─9400 imapd
           ├─9401 imapd
           ├─9402 imapd
           ├─9403 imapd
           ├─9404 imapd
           ├─9405 imapd -s
           ├─9406 pop3d
           ├─9407 pop3d
           ├─9408 pop3d
           ├─9409 pop3d -s
           ├─9410 lmtpd
           ├─9411 imapd
           ├─9412 imapd
           ├─9413 imapd
           ├─9414 imapd
           ├─9415 imapd
           ├─9416 imapd -s
           ├─9417 pop3d
           ├─9418 pop3d
           ├─9419 pop3d
           └─9420 pop3d -s

jul 19 10:45:48 mach5.hviaene.thuis su[9335]: (to cyrus) root on none
jul 19 10:45:48 mach5.hviaene.thuis su[9335]: pam_unix(su:session): session opened for user cyrus by (uid=0)
jul 19 10:45:48 mach5.hviaene.thuis su[9335]: pam_unix(su:session): session closed for user cyrus
jul 19 10:45:48 mach5.hviaene.thuis systemd[1]: Started Cyrus-imapd IMAP/POP3 email server.
jul 19 10:45:48 mach5.hviaene.thuis ctl_cyrusdb[9396]: skiplist: clean shutdown file missing, updating recovery stamp
jul 19 10:45:48 mach5.hviaene.thuis ctl_cyrusdb[9396]: recovering cyrus databases
jul 19 10:45:48 mach5.hviaene.thuis ctl_cyrusdb[9396]: done recovering cyrus databases
jul 19 10:45:48 mach5.hviaene.thuis master[9394]: unable to setsocketopt(IP_TOS) service lmtpunix/unix: Operation not supported
jul 19 10:45:48 mach5.hviaene.thuis ctl_cyrusdb[9399]: checkpointing cyrus databases
jul 19 10:45:48 mach5.hviaene.thuis ctl_cyrusdb[9399]: done checkpointing cyrus databases

$ telnet localhost 143
Trying ::1...
Connected to localhost (::1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] mach5.hviaene.thuis Cyrus IMAP 2.5.11-Kolab-2.5.11-7.1.mga7 server ready
^]
telnet> quit
Connection closed.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 4 Thomas Andrews 2019-08-09 04:02:11 CEST 
Thank you, Herman. Validating. Advisory in Comment 1

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-08-09 22:23:55 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-08-10 02:14:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0219.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED