Hi all,
since there hasn't been any response for n >= 21 days, I have uploaded
a new isync package 1.4.3-1 to DELAYED/7 queue.
The diff of the debian dirs between the last released version and the
one I uploaded is attached.
Thanks
Norbert
On Thu, 05 Aug 2021, Norbert Preining wrote:
> Package: isync
> Version: 1.3.0-2.2
> Severity: important
> X-Debbugs-Cc: Alessandro Ghedini <gh...@debian.org>, Nicolas Boullis
> <nboul...@debian.org>, Theodore Y. Ts'o <ty...@mit.edu>, m...@qa.debian.org
>
> Dear Nicolas, dear all,
>
> I intend to salvage this package:
> - several new upstreams
> - no activity besides security NMUs for years
>
> This bug reports starts the official salvage request according to
> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#package-salvaging
>
> Nicolas, could you please answer here (best signed) that you either will
> ake further care of the package, or agree to the salvaging.
>
> Thanks
>
> Norbert
--
PREINING Norbert https://www.preining.info
Fujitsu Research + IFMGA Guide + TU Wien + TeX Live + Debian Dev
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
diff -urN isync-1.3.0/debian/changelog isync-1.4.3/debian/changelog
--- isync-1.3.0/debian/changelog 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/changelog 2021-11-09 08:45:36.000000000 +0900
@@ -1,3 +1,15 @@
+isync (1.4.3-1) unstable; urgency=medium
+
+ * New upstream version 1.4.3
+ * Drop patches, included upstream.
+ * Update list of installed files.
+ * Drop references to isync.
+ * Take over maintainership (Closes: #991904).
+ * Bump standards level to 4.6.0, no changes necessary.
+ * Use debhelper-compat (= 12) instead of d/compat.
+
+ -- Norbert Preining <norb...@preining.info> Tue, 09 Nov 2021 08:45:36 +0900
+
isync (1.3.0-2.2) unstable; urgency=medium
* Non-maintainer upload.
diff -urN isync-1.3.0/debian/compat isync-1.4.3/debian/compat
--- isync-1.3.0/debian/compat 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/compat 1970-01-01 09:00:00.000000000 +0900
@@ -1 +0,0 @@
-11
diff -urN isync-1.3.0/debian/control isync-1.4.3/debian/control
--- isync-1.3.0/debian/control 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/control 2021-11-09 08:45:36.000000000 +0900
@@ -1,10 +1,9 @@
Source: isync
Section: mail
Priority: optional
-Maintainer: Nicolas Boullis <nboul...@debian.org>
-Uploaders: Theodore Y. Ts'o <ty...@mit.edu>
-Standards-Version: 4.2.1
-Build-Depends: debhelper (>= 11),
+Maintainer: Norbert Preining <norb...@preining.info>
+Standards-Version: 4.6.0
+Build-Depends: debhelper-compat (= 12),
libdb-dev,
libsasl2-dev,
libssl-dev,
@@ -24,11 +23,6 @@
deletions and flag changes can be propagated both ways. isync is suitable
for use in IMAP-disconnected mode.
.
- The main application was much improved in version 1.0. Those improvements
- lead to interface changes and the application being renamed to mbsync. The
- application isync is now only a wrapper to keep compatibility with earlier
- versions.
- .
Features:
* Fine-grained selection of synchronization operations to perform
* Synchronizes single mailboxes or entire mailbox collections
diff -urN isync-1.3.0/debian/isync.examples isync-1.4.3/debian/isync.examples
--- isync-1.3.0/debian/isync.examples 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/isync.examples 2021-11-09 08:45:36.000000000 +0900
@@ -1,2 +1 @@
src/mbsyncrc.sample
-src/compat/isyncrc.sample
diff -urN isync-1.3.0/debian/patches/01_sni.patch isync-1.4.3/debian/patches/01_sni.patch
--- isync-1.3.0/debian/patches/01_sni.patch 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/patches/01_sni.patch 1970-01-01 09:00:00.000000000 +0900
@@ -1,38 +0,0 @@
-From 1086cdb8fd77a224d56033bde0825a286ba30ee2 Mon Sep 17 00:00:00 2001
-From: Vincent Bernat <vinc...@bernat.ch>
-Date: Wed, 22 Aug 2018 19:20:35 +0200
-Subject: [PATCH] use SNI when connecting with SSL
-
-imap.gmail.com doesn't accept connections without SNI anymore. Without
-this extension, it returns a self-signed certificate and mbsync is
-unable to complete:
-
- $ openssl s_client -connect imap.gmail.com:993 -noservername
- CONNECTED(00000005)
- depth=0 OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
- verify error:num=18:self signed certificate
- verify return:1
- depth=0 OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
- verify return:1
- ---
- Certificate chain
- 0 s:OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
- i:OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
-
-This commit configure the SSL connection to transmit the hostname
-through SNI. This has been tested with both GMail (which requires SNI)
-and Fastmail (which doesn't require SNI).
----
- src/socket.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/src/socket.c
-+++ b/src/socket.c
-@@ -270,6 +270,7 @@
-
- init_wakeup( &conn->ssl_fake, ssl_fake_cb, conn );
- conn->ssl = SSL_new( ((server_conf_t *)conn->conf)->SSLContext );
-+ SSL_set_tlsext_host_name( conn->ssl, conn->conf->host );
- SSL_set_fd( conn->ssl, conn->fd );
- SSL_set_mode( conn->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER );
- socket_expect_read( conn, 1 );
diff -urN isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch isync-1.4.3/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
--- isync-1.3.0/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/patches/fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch 1970-01-01 09:00:00.000000000 +0900
@@ -1,80 +0,0 @@
-From 5fbed519180f155a017a438e479b6268b74b9526 Mon Sep 17 00:00:00 2001
-From: Oswald Buddenhagen <o...@users.sf.net>
-Date: Wed, 14 Apr 2021 16:58:27 +0200
-Subject: [PATCH] fix handling of unexpected APPENDUID response code
-
-if the code was sent in response to anything but a STORE, we'd overwrite
-a data pointer in one of our imap_cmd subclasses, an allocator data
-structure, or the start of the next allocation, with an int that was
-completely under the server's control. it's plausible that this could be
-exploited for remote code execution.
-
-to avoid this, we could ensure that the object is of the right type
-prior to casting, by using a new flag in the parameter block. but it's
-easier to just dispose of the out_uid field altogether and reuse the uid
-field that is present in the parameter block anyway, but was used only
-for FETCH commands so far.
-
-this problem was found by Lukas Braun <ko...@moshbit.net> using a
-fuzzer.
----
- src/drv_imap.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/src/drv_imap.c b/src/drv_imap.c
-index fbe2fed..4cc3b2a 100644
---- a/src/drv_imap.c
-+++ b/src/drv_imap.c
-@@ -181,7 +181,6 @@ typedef struct {
- imap_cmd_t gen;
- void (*callback)( int sts, uint uid, void *aux );
- void *callback_aux;
-- uint out_uid;
- } imap_cmd_out_uid_t;
-
- typedef struct {
-@@ -1184,11 +1183,22 @@ parse_response_code( imap_store_t *ctx, imap_cmd_t *cmd, char *s )
- */
- for (; isspace( (uchar)*p ); p++);
- error( "*** IMAP ALERT *** %s\n", p );
-- } else if (cmd && !strcmp( "APPENDUID", arg )) {
-+ } else if (!strcmp( "APPENDUID", arg )) {
-+ // The checks ensure that:
-+ // - cmd => this is the final tagged response of a command, at which
-+ // point cmd was already removed from ctx->in_progress, so param.uid
-+ // is available for reuse.
-+ // - !param.uid => the command isn't actually a FETCH. This doesn't
-+ // really matter, as the field is safe to overwrite given the
-+ // previous condition; it just has no effect for non-APPENDs.
-+ if (!cmd || cmd->param.uid) {
-+ error( "IMAP error: unexpected APPENDUID status\n" );
-+ return RESP_CANCEL;
-+ }
- if (!(arg = next_arg( &s )) ||
- (ctx->uidvalidity = strtoul( arg, &earg, 10 ), *earg) ||
- !(arg = next_arg( &s )) ||
-- (((imap_cmd_out_uid_t *)cmd)->out_uid = strtoul( arg, &earg, 10 ), *earg))
-+ (cmd->param.uid = strtoul( arg, &earg, 10 ), *earg))
- {
- error( "IMAP error: malformed APPENDUID status\n" );
- return RESP_CANCEL;
-@@ -2957,7 +2967,6 @@ imap_store_msg( store_t *gctx, msg_data_t *data, int to_trash,
- ctx->buffer_mem += data->len;
- cmd->gen.param.data_len = data->len;
- cmd->gen.param.data = data->data;
-- cmd->out_uid = 0;
-
- if (to_trash) {
- cmd->gen.param.create = 1;
-@@ -2990,7 +2999,7 @@ imap_store_msg_p2( imap_store_t *ctx ATTR_UNUSED, imap_cmd_t *cmd, int response
- imap_cmd_out_uid_t *cmdp = (imap_cmd_out_uid_t *)cmd;
-
- transform_msg_response( &response );
-- cmdp->callback( response, cmdp->out_uid, cmdp->callback_aux );
-+ cmdp->callback( response, cmdp->gen.param.uid, cmdp->callback_aux );
- }
-
- /******************* imap_find_new_msgs *******************/
---
-2.31.1.2.g8c0bdb8a70
-
diff -urN isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch isync-1.4.3/debian/patches/reject-funny-mailbox-names--1.3.patch
--- isync-1.3.0/debian/patches/reject-funny-mailbox-names--1.3.patch 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/patches/reject-funny-mailbox-names--1.3.patch 1970-01-01 09:00:00.000000000 +0900
@@ -1,68 +0,0 @@
->From 45e2bdc439a01974b6b990bfb8a8968192c3b721 Mon Sep 17 00:00:00 2001
-From: Oswald Buddenhagen <o...@users.sf.net>
-Date: Sun, 14 Feb 2021 20:42:37 +0100
-Subject: [PATCH] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
-
-in particular, '..' in the name could be used to escape the Path/Inbox
-of a Maildir Store, which could be exploited for stealing or deleting
-data, or staging a (mild) DoS attack.
----
- src/drv_imap.c | 31 ++++++++++++++++++++++++++++++-
- 1 file changed, 30 insertions(+), 1 deletion(-)
-
-diff --git a/src/drv_imap.c b/src/drv_imap.c
-index 810479e..fbe2fed 100644
---- a/src/drv_imap.c
-+++ b/src/drv_imap.c
-@@ -1258,11 +1258,12 @@ static int
- parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
- {
- string_list_t *narg;
-- char *arg;
-+ char *arg, c;
- int argl, l;
-
- if (!is_atom( list )) {
- error( "IMAP error: malformed LIST response\n" );
-+ listbad:
- free_list( list );
- return LIST_BAD;
- }
-@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
- warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg );
- goto skip;
- }
-+ // Validate the normalized name. Technically speaking, we could tolerate
-+ // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir
-+ // driver, but there isn't really a legitimate reason for these being present.
-+ for (const char *p = narg->string, *sp = p;;) {
-+ if (!(c = *p) || c == '/') {
-+ uint pcl = (uint)(p - sp);
-+ if (!pcl) {
-+ error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string );
-+ free( narg );
-+ goto skip;
-+ }
-+ if (pcl == 1 && sp[0] == '.') {
-+ error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string );
-+ free( narg );
-+ goto skip;
-+ }
-+ if (pcl == 2 && sp[0] == '.' && sp[1] == '.') {
-+ error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string );
-+ free( narg );
-+ goto listbad;
-+ }
-+ if (!c)
-+ break;
-+ sp = ++p;
-+ } else {
-+ ++p;
-+ }
-+ }
- narg->next = ctx->boxes;
- ctx->boxes = narg;
- skip:
---
-2.29.2.2.g268056bf11.dirty
-
diff -urN isync-1.3.0/debian/patches/series isync-1.4.3/debian/patches/series
--- isync-1.3.0/debian/patches/series 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/patches/series 1970-01-01 09:00:00.000000000 +0900
@@ -1,3 +0,0 @@
-01_sni.patch
-reject-funny-mailbox-names--1.3.patch
-fix-handling-of-unexpected-APPENDUID-response-code--1.3.patch
diff -urN isync-1.3.0/debian/README.Debian isync-1.4.3/debian/README.Debian
--- isync-1.3.0/debian/README.Debian 2021-06-08 04:03:56.000000000 +0900
+++ isync-1.4.3/debian/README.Debian 2021-11-09 08:45:36.000000000 +0900
@@ -3,10 +3,11 @@
isync can be integrated into Mutt fairly easily with a few hooks:
folder-hook ~A bind index $ <sync-mailbox>
- folder-hook +maildir 'macro index $ "<sync-mailbox>!isync -e maildir\n"'
+ folder-hook +maildir 'macro index $ "<sync-mailbox>!mbsync the_channel:maildir\n"'
-where maildir is the name of the local mailbox (or its alias). This works well
-so long as you are not modifying the IMAP mailbox outside of Mutt. However, if
-you are using another mail program simultaneously Mutt will have the wrong idea
-of the local mailbox flags and messages will start disappearing from its index
-display (don't worry, they are still on disk).
+where the_channel is the Channel used to sync this mailbox, and maildir is the
+name of the local mailbox itself. This works well so long as you are not
+modifying the IMAP mailbox outside of Mutt. However, if you are using another
+mail program simultaneously, Mutt will have the wrong idea of the local mailbox
+flags and messages will start disappearing from its index display (don't worry,
+they are still on disk).
