Bug 25913 - cyrus-imapd new security issues CVE-2019-18928 and CVE-2019-19783
Summary: cyrus-imapd new security issues CVE-2019-18928 and CVE-2019-19783
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-20 14:40 CET by Zombie Ryushu
Modified: 2020-01-05 16:39 CET (History)
5 users (show)

See Also:
Source RPM: cyrus-imapd-2.5.11-7.1.mga7.src.rpm
CVE: CVE-2019-18928, CVE-2019-19783
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Zombie Ryushu 2019-12-20 14:41:21 CET

CVE: (none) => CVE-2019-19783
Component: RPM Packages => Security

Comment 1 Lewis Smith 2019-12-20 20:59:25 CET 
Thank you for the notification.
Checked -ve for duplicate of the CVE.
No registered maintainer => assign globally; another CC for DavidG as recent committer.

CC: (none) => geiger.david68210
Assignee: bugsquad => pkg-bugs
Source RPM: cyrus-imapd => cyrus-imapd-2.5.11-7.1.mga7.src.rpm
QA Contact: (none) => security

Comment 2 David Walser 2019-12-20 21:17:08 CET 
Actual link to the Debian advisory from December 19:
https://www.debian.org/security/2019/dsa-4590

The issue is fixed upstream in 2.5.15.

Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
Summary: DSA-4590-1: cyrus-imapd security update CVE-2019-19783 => cyrus-imapd new security issue CVE-2019-19783

Comment 3 David GEIGER 2019-12-20 22:52:49 CET 
Done for both Cauldron and mga7!
Comment 4 David Walser 2019-12-21 02:31:01 CET 
Advisory:
========================

Updated cyrus-imapd packages fix security vulnerability:

It was discovered that the lmtpd component of the Cyrus IMAP server created
mailboxes with administrator privileges if the "fileinto" was used, bypassing
ACL checks (CVE-2019-19783).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19783
https://www.debian.org/security/2019/dsa-4590
========================

Updated packages in core/updates_testing:
========================
cyrus-imapd-2.5.15-1.mga7
libcyrus-imapd0-2.5.15-1.mga7
libcyrus-imapd-devel-2.5.15-1.mga7
perl-Cyrus-2.5.15-1.mga7

from cyrus-imapd-2.5.15-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2019-12-27 04:38:36 CET 
Fedora has issued an advisory on December 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/

This fixes a new security issue.

The issue is fixed upstream in 2.5.14.

Severity: normal => major
Summary: cyrus-imapd new security issue CVE-2019-19783 => cyrus-imapd new security issues CVE-2019-18928 and CVE-2019-19783
CVE: CVE-2019-19783 => CVE-2019-18928, CVE-2019-19783

Comment 7 Herman Viaene 2020-01-03 14:36:57 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 25134 for testing
First installed postfix to get the postfix group
then
# systemctl start cyrus-imapd.service
# systemctl -l status cyrus-imapd.service
● cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-01-03 14:28:25 CET; 13s ago
  Process: 17721 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS)
 Main PID: 17785 (cyrus-master)
   Memory: 36.2M
   CGroup: /system.slice/cyrus-imapd.service
           ├─17785 /usr/lib/cyrus-imapd/cyrus-master
           ├─17791 idled
           ├─17793 imapd
           ├─17794 imapd
           ├─17795 imapd
           ├─17796 imapd
           ├─17797 imapd
           ├─17798 imapd -s
           ├─17799 pop3d
           ├─17800 pop3d
           ├─17801 pop3d
           ├─17802 pop3d -s
           ├─17803 lmtpd
           ├─17804 imapd
           ├─17805 imapd
           ├─17806 imapd
           ├─17807 imapd
           ├─17808 imapd
           ├─17809 imapd -s
           ├─17810 pop3d
           ├─17811 pop3d
           ├─17812 pop3d
           └─17813 pop3d -s

jan 03 14:28:25 mach5.hviaene.thuis su[17727]: (to cyrus) root on none
jan 03 14:28:25 mach5.hviaene.thuis su[17727]: pam_unix(su:session): session opened for user cyrus by (uid=0)
jan 03 14:28:25 mach5.hviaene.thuis su[17727]: pam_unix(su:session): session closed for user cyrus
jan 03 14:28:25 mach5.hviaene.thuis systemd[1]: Started Cyrus-imapd IMAP/POP3 email server.
jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17788]: skiplist: clean shutdown file missing, updating recovery stamp
jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17788]: recovering cyrus databases
jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17788]: done recovering cyrus databases
jan 03 14:28:25 mach5.hviaene.thuis master[17785]: unable to setsocketopt(IP_TOS) service lmtpunix/unix: Operation not supported
jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17792]: checkpointing cyrus databases
jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17792]: done checkpointing cyrus databases

and

$ telnet localhost 143
Trying ::1...
Connected to localhost (::1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] mach5.hviaene.thuis Cyrus IMAP 2.5.15-Kolab-2.5.15-1.mga7 server ready
^]
telnet> quit
Connection closed.

Seems OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2020-01-03 19:09:44 CET 
Validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 12:48:49 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-01-05 16:39:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0010.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.