Debian Bug report logs - #999804
isync: CVE-2021-44143

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: crash after upgrade to 1.4.3

Date: Tue, 16 Nov 2021 16:41:42 -0500

Package: isync
Version: 1.4.3-1
Severity: normal

Before the upgrade (1.3.0-2.2, on bullseye), I am able to run mbsync
without too many issues. After the upgrade, it completely crashes with
what looks like an assertion failure:

C: 0/1  B: 134/205  F: +0/0 *0/0 #0/0  N: +4/4 *0/0 #0/0
Warning: lost track of 676 pulled message(s)
C: 0/1  B: 134/205  F: +0/0 *0/0 #0/0  N: +4/681 *0/0 #0/0
Warning: message 1 from far side has incomplete header.
C: 0/1  B: 134/205  F: +0/0 *0/0 #0/0  N: +5/681 *0/0 #0/0corrupted size vs. prev_size while consolidating
Abandon (core dumped)

Here's the backtrace:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f529fa18537 in __GI_abort () at abort.c:79
#2  0x00007f529fa71768 in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7f529fb7fe2d "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007f529fa78a5a in malloc_printerr (
    str=str@entry=0x7f529fb82280 "corrupted size vs. prev_size while consolidating") at malloc.c:5347
#4  0x00007f529fa7a12e in _int_free (av=0x7f529fbb1b80 <main_arena>, 
    p=0x5613006c9860, have_lock=<optimized out>) at malloc.c:4332
#5  0x00005612ff5f01a7 in copy_msg_convert (vars=0x561300587510, 
    out_cr=<optimized out>, in_cr=<optimized out>) at ./src/sync.c:534
#6  msg_fetched (sts=<optimized out>, aux=0x561300587510) at ./src/sync.c:559
#7  0x00005612ff5f9832 in done_imap_cmd (ctx=ctx@entry=0x7f52a0140010, 
    cmd=cmd@entry=0x561300635b30, response=response@entry=0)
    at ./src/drv_imap.c:326
#8  0x00005612ff600bc2 in imap_socket_read (aux=0x7f52a0140010)
    at ./src/drv_imap.c:1740
#9  0x00005612ff5f72b7 in event_wait () at ./src/util.c:831
#10 main_loop () at ./src/util.c:903
#11 0x00005612ff5ec38f in main (argc=<optimized out>, argv=<optimized out>)
    at ./src/main.c:797

It could be this is a new assertion for something that was broken
already in a previous version. I'm dealing with corruption issues on
the IMAP server side, but it seems to me this should still not crash,
especially on hostile server data...

(I don't have a particular reason to believe this is a security issue,
but i guess that if this is caused by a malicious message, it might be
a mild DOS condition..)

-- System Information:
Debian Release: 11.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-9-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages isync depends on:
ii  libc6       2.31-13+deb11u2
ii  libdb5.3    5.3.28+dfsg1-0.8
ii  libsasl2-2  2.1.27+dfsg-2.1
ii  libssl1.1   1.1.1k-1+deb11u1
ii  zlib1g      1:1.2.11.dfsg-2

isync recommends no packages.

Versions of packages isync suggests:
ii  mutt  2.0.5-4.1

-- no debconf information

Message #10 received at 999804@bugs.debian.org (full text, mbox, reply):

From: Olzvoi Bayasgalan <me@olzvoi.dev>

To: 999804@bugs.debian.org

Subject: Re: crash after upgrade to 1.4.3

Date: Mon, 22 Nov 2021 20:24:09 +0800

Hi,

Should we have blocked this version of isync's transition to testing due 
to this issue? I know it's too late now, but the question seems valid in 
general.

- Olzvoi

Message #19 received at 999804-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 999804-close@bugs.debian.org

Subject: Bug#999804: fixed in isync 1.4.4-1

Date: Fri, 03 Dec 2021 13:48:47 +0000

Source: isync
Source-Version: 1.4.4-1
Done: Norbert Preining <norbert@preining.info>

We believe that the bug you reported is fixed in the latest version of
isync, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 999804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <norbert@preining.info> (supplier of updated isync package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Dec 2021 20:39:17 +0900
Source: isync
Architecture: source
Version: 1.4.4-1
Distribution: unstable
Urgency: high
Maintainer: Norbert Preining <norbert@preining.info>
Changed-By: Norbert Preining <norbert@preining.info>
Closes: 999804
Changes:
 isync (1.4.4-1) unstable; urgency=high
 .
   * New upstream version 1.4.4 (Closes: #999804)
     (fixes CVE-2021-3657, CVE-2021-44143)
   * Update VCS place since debian NS is not accessible to me.
Checksums-Sha1:
 d844ccf4393e6d255a5fb10f48a5030359f59efa 1510 isync_1.4.4-1.dsc
 b2b03137e60a996a46a713b2848f5f38d295dd41 340544 isync_1.4.4.orig.tar.gz
 71a24205181b80b55411aa3170fde5062c30a67a 7168 isync_1.4.4-1.debian.tar.xz
 b7dfff8217163f75c26276ed47d9cd7b94dcabf2 6608 isync_1.4.4-1_source.buildinfo
Checksums-Sha256:
 88a6ce35ed8d67c909e9cd72c6bd3f37d3ac2297376d83e87396e99acf812f1f 1510 isync_1.4.4-1.dsc
 7c3273894f22e98330a330051e9d942fd9ffbc02b91952c2f1896a5c37e700ff 340544 isync_1.4.4.orig.tar.gz
 d690c3017782ae297f2d15de9d9770639815bb891bf0e3a32ebf2a23ed6cc9de 7168 isync_1.4.4-1.debian.tar.xz
 e080715592d62abec7ad561f8e2316b99c050acf84c0432be69a4c9e4c985c41 6608 isync_1.4.4-1_source.buildinfo
Files:
 b5cb30272f0ea4bff78a1a677e19efc6 1510 mail optional isync_1.4.4-1.dsc
 29acced5c6f0c87e631b0ff641f8f942 340544 mail optional isync_1.4.4.orig.tar.gz
 30dae40ca02da85cc4fa13ea6adffde0 7168 mail optional isync_1.4.4-1.debian.tar.xz
 20dfeda2ebe1b8c13c222dd33d44d6d7 6608 mail optional isync_1.4.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAmGqG4YACgkQ2A4JsIcU
AGaCWwf/Zpsr67X09vQ2S/smu6cinDbR/gXuyyYoD4+Kgrq4zmX8JaIYT6hfjL22
bA1WyOjTCOk3AWpVBiEkKBTV4PI+GtlxyaEFy4wb5lBLmukAbyz0M725ujumXHps
8q4C/C9oiCJO8l8OVPJZRv4Cfej8Rqb6AcpPkgeXdPIpH06cumeAwqsDlIn9piNO
0VTBV/dxyIByD0ix2sIbYrFNSuEfyDiNqP/bca0TCxH5hIDNBRiEGsfjfD0uRg8v
PKIGoIIKl5TJvL58ym7cnACscocUOBcW3AffzMbnr2MrQx+HvJT144JxIhbMN5Zc
LAbKpYBZ0kgbzU/UBE5ZaYmS76Fm0Q==
=uLjD
-----END PGP SIGNATURE-----

Message #24 received at 999804@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Olzvoi Bayasgalan <me@olzvoi.dev>, 999804@bugs.debian.org, 999804@bugs.debian.org

Subject: Re: Bug#999804: crash after upgrade to 1.4.3

Date: Fri, 03 Dec 2021 10:15:02 -0500

On 2021-11-22 20:24:09, Olzvoi Bayasgalan wrote:
> Hi,
>
> Should we have blocked this version of isync's transition to testing due 
> to this issue? I know it's too late now, but the question seems valid in 
> general.

Maybe. A single crash like this might not warrant a RC severity, which
would have been required to block transition. I felt my setup was exotic
enough that it didn't warrant a blocker bug, but I hadn't realized there
was potentially a security issue there (silly me), otherwise I would
have handled this very differently anyways.

But yeah, maybe. :) Anyways now it should trickle down to testing soon
enough and this will be all moot.

a.

-- 
Celui qui sait jouir du peu qu'il a est toujours assez riche.
                         - Démocrite

Send a report that this bug log contains spam.