Bug 30079

Summary: cyrus-imapd new security issues CVE-2021-32056 and CVE-2021-33582
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: cyrus-imapd-2.5.15-4.mga9.src.rpm CVE: CVE-2021-33582
Status comment:

Description David Walser 2022-02-22 00:11:27 CET 
Fedora has issued an advisory on February 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/

The issues are fixed upstream in 3.0.16 and 3.2.8.

The first CVE may not affect us (it's not entirely clear), but the second one definitely does.

Mageia 8 is also affected.
David Walser 2022-02-22 00:19:11 CET

Status comment: (none) => Fixed upstream in 3.0.16
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-22 19:56:37 CET 
No particular packager evident, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-06-20 19:26:52 CEST 
Debian-LTS has issued an advisory for the second issue today (June 20):
https://www.debian.org/lts/security/2022/dla-3052
Comment 3 Nicolas Salguero 2022-06-21 10:40:01 CEST 
Hi,

At least, Debian, OpenSUSE and upstream say CVE-2021-32056 only affects 3.2.x and above:
https://security-tracker.debian.org/tracker/CVE-2021-32056
https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41465b521399f691c241181300fab55995#commitcomment-50693076

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 4 Nicolas Salguero 2022-06-21 10:41:03 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. (CVE-2021-33582)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33582
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/
https://www.debian.org/lts/security/2022/dla-3052
========================

Updated packages in core/updates_testing:
========================
cyrus-imapd-2.5.15-3.1.mga8
lib(64)cyrus-imapd0-2.5.15-3.1.mga
lib(64)cyrus-imapd-devel-2.5.15-3.1.mga8
perl-Cyrus-2.5.15-3.1.mga8

from SRPM:
cyrus-imapd-2.5.15-3.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 3.0.16 => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-33582

Comment 5 Nicolas Salguero 2022-06-21 10:43:12 CEST 
Regarding CVE-2021-32056, when I looked at the code, I did not find the affected code so I also think that CVE does not affect us.
Comment 6 Herman Viaene 2022-06-24 16:53:46 CEST 
Selecting all four packages in QARepo gives:
lib64cyrus-imapd0-2.5.15-3.1.mga not found in the remote repository

CC: (none) => herman.viaene

Comment 7 David Walser 2022-06-24 16:58:38 CEST 
There should be an 8 at the end of that name (mga8).
Comment 8 Herman Viaene 2022-06-30 10:26:05 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Ref bug 25913 for testing
# systemctl start cyrus-imapd.service
# systemctl -l status cyrus-imapd.service
● cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server
     Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-06-30 10:19:53 CEST; 16s ago
    Process: 16530 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS)
   Main PID: 16588 (cyrus-master)
      Tasks: 23 (limit: 4364)
     Memory: 34.9M
        CPU: 684ms
     CGroup: /system.slice/cyrus-imapd.service
             ├─16588 /usr/lib/cyrus-imapd/cyrus-master
             ├─16592 idled
             ├─16594 imapd
             ├─16595 imapd
             ├─16596 imapd
             ├─16597 imapd
             ├─16599 imapd
             ├─16600 imapd -s
             ├─16603 pop3d
             ├─16604 pop3d
             ├─16605 pop3d
             ├─16608 pop3d -s
             ├─16609 lmtpd
             ├─16610 imapd
             ├─16611 imapd
             ├─16612 imapd
             ├─16617 imapd
             ├─16618 imapd
             ├─16619 imapd -s
             ├─16620 pop3d
             ├─16621 pop3d
             ├─16622 pop3d
             └─16623 pop3d -s

Jun 30 10:19:52 mach7.hviaene.thuis systemd[1]: Starting Cyrus-imapd IMAP/POP3 email server...
and then
$ telnet localhost 143
Trying ::1...
Connected to localhost (::1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] mach7.hviaene.thuis Cyrus IMAP 2.5.15-Kolab-2.5.15-3.1.mga8 server ready
Looks good

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-07-01 15:55:14 CEST 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-07-04 23:32:22 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2022-07-05 21:12:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0247.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED