Version in base suite: 3.0.8-6+deb10u1

Base version: cyrus-imapd_3.0.8-6+deb10u1
Target version: cyrus-imapd_3.0.8-6+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cyrus-imapd/cyrus-imapd_3.0.8-6+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cyrus-imapd/cyrus-imapd_3.0.8-6+deb10u3.dsc

 changelog                    |   13 +++++++++++++
 patches/CVE-2019-18928.patch |   38 ++++++++++++++++++++++++++++++++++++++
 patches/CVE-2019-19783.patch |   36 ++++++++++++++++++++++++++++++++++++
 patches/series               |    2 ++
 4 files changed, 89 insertions(+)

diff -Nru cyrus-imapd-3.0.8/debian/changelog cyrus-imapd-3.0.8/debian/changelog
--- cyrus-imapd-3.0.8/debian/changelog	2019-10-09 20:38:07.000000000 +0000
+++ cyrus-imapd-3.0.8/debian/changelog	2019-12-16 06:16:20.000000000 +0000
@@ -1,3 +1,16 @@
+cyrus-imapd (3.0.8-6+deb10u3) buster-security; urgency=medium
+
+  * Add patch to avoid mailbox creation as administrator
+    (Closes: #CVE-2019-19783)
+
+ -- Xavier Guimard <yadd@debian.org>  Mon, 16 Dec 2019 07:16:20 +0100
+
+cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high
+
+  * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928)
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 19 Nov 2019 22:21:32 +0100
+
 cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium
 
   * Add patch to fix data loss on upgrade from versions ≤ 3.0.0
diff -Nru cyrus-imapd-3.0.8/debian/patches/CVE-2019-18928.patch cyrus-imapd-3.0.8/debian/patches/CVE-2019-18928.patch
--- cyrus-imapd-3.0.8/debian/patches/CVE-2019-18928.patch	1970-01-01 00:00:00.000000000 +0000
+++ cyrus-imapd-3.0.8/debian/patches/CVE-2019-18928.patch	2019-12-16 06:16:20.000000000 +0000
@@ -0,0 +1,38 @@
+Description: fix privilege escalation
+ Only allow reuse of auth creds on a persistent connection against a backend
+ server in a Murder
+Author: Ken Murchison <murch@fastmail.com>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-11-19
+
+--- a/imap/httpd.c
++++ b/imap/httpd.c
+@@ -1729,6 +1729,25 @@
+         txn->auth_chal.scheme = NULL;
+     }
+ 
++    /* Drop auth credentials, if not a backend in a Murder */
++    else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) {
++        syslog(LOG_DEBUG, "drop auth creds");
++
++        free(httpd_userid);
++        httpd_userid = NULL;
++
++        free(httpd_extrafolder);
++        httpd_extrafolder = NULL;
++
++        free(httpd_extradomain);
++        httpd_extradomain = NULL;
++
++        if (httpd_authstate) {
++            auth_freestate(httpd_authstate);
++            httpd_authstate = NULL;
++        }
++    }
++
+     /* Perform proxy authorization, if necessary */
+     else if (saslprops.authid &&
+              (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&
diff -Nru cyrus-imapd-3.0.8/debian/patches/CVE-2019-19783.patch cyrus-imapd-3.0.8/debian/patches/CVE-2019-19783.patch
--- cyrus-imapd-3.0.8/debian/patches/CVE-2019-19783.patch	1970-01-01 00:00:00.000000000 +0000
+++ cyrus-imapd-3.0.8/debian/patches/CVE-2019-19783.patch	2019-12-16 06:16:20.000000000 +0000
@@ -0,0 +1,36 @@
+Description: fix for CVE-2019-19783
+ When creating a missing mailbox as part of a sieve 'fileinto' directive,
+ lmtpd would create it as administrator, bypassing ACL checks.
+ .
+ lmtpd creates missing mailboxes as part of a sieve 'fileinto' directive if:
+ .
+    (2.5+) the anysievefolder option is enabled (default: not), or
+    (3.0+) the sieve_extensions option has the 'mailbox' extension enabled
+    (default: enabled) and the 'fileinto' directive contains the ":create"
+    argument
+ .
+ Under these conditions, a user with the ability to upload a custom sieve
+ script to their account could use it to create any valid mailbox on the
+ server (with ACL inherited from the parent mailbox as usual).
+ .
+ lmtpd no longer creates these mailboxes as administrator, so users may no
+ longer use a 'fileinto' directive to create a mailbox they couldn’t create
+ otherwise.
+Author: Bron Gondwana <brong@fastmailteam.com>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/7080d0a
+Bug: https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html#security-fixes
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-12-16
+
+--- a/imap/lmtp_sieve.c
++++ b/imap/lmtp_sieve.c
+@@ -999,7 +999,7 @@
+     if (createsievefolder) {
+         /* Folder is already in internal namespace format */
+         r = mboxlist_createmailbox(internalname, 0, NULL,
+-                                   1, userid, auth_state, 0, 0, 0, 1, NULL);
++                                   0, userid, auth_state, 0, 0, 0, 1, NULL);
+         if (!r) {
+             mboxlist_changesub(internalname, userid, auth_state, 1, 1, 1);
+             syslog(LOG_DEBUG, "autosievefolder: User %s, folder %s creation succeeded",
diff -Nru cyrus-imapd-3.0.8/debian/patches/series cyrus-imapd-3.0.8/debian/patches/series
--- cyrus-imapd-3.0.8/debian/patches/series	2019-10-09 20:32:06.000000000 +0000
+++ cyrus-imapd-3.0.8/debian/patches/series	2019-12-16 06:16:20.000000000 +0000
@@ -23,3 +23,5 @@
 0023-fix-memory-leak-on-ldap-failure.patch
 CVE-2019-11356.patch
 0024-dont-skip-records-with-modseq-0.patch
+CVE-2019-18928.patch
+CVE-2019-19783.patch