Bug#1039693: cyrus-imapd: Regression with CVE-2021-33582 fix

Wed, 28 Jun 2023 01:51:17 -0700 

Package: cyrus-imapd
Version: 3.2.6-2+deb11u2
Severity: important

On an installation using auth_mech: pts upgrading cyrus to 3.2.6-2+deb11u2 
breaks
somehow ptscache.db and prevent the admin user to be recognise as admin.

Before upgrade, cyrus 3.2.5-2 :
2023-06-28T09:42:17.166276+02:00 backend-dev-02 cyrus/imap[157143]: login: 
frontend test DIGEST- MD5 User logged in 
SESSIONID=<cyrus-1687938137-157143-1-3398314216623499281>

After upgrade, cyrus 3.2.6-2+deb11u2 :
2023-06-28T09:44:24.337509+02:00 backend-dev-02 cyrus/imap[160312]: badlogin: 
frontend DIGEST-MD5 (test) [SASL(-13): authentication failure: user admin is 
not allowed to proxy]

Direct login works fine : 
  login: localhost [::1] admin DIGEST-MD5 User logged in 
SESSIONID=<cyrus-1687940350-169655-1-697575313408123472>

But admih is not recognise as an admin anymore :
  MUPDATE: can't commit mailbox entry for 'user.admin'
  Deleted mailbox user.admin
  autocreateinbox: User admin, INBOX failed. unable to reserve mailbox on 
mupdate server

# cyradm -user mailadmin localhost
localhost> lm '*.*'
localhost>

If I go back to 3.2.5-2 package I can login again.
If I wait enought I can login again.
If I remove ptscache.db I can login again.

And admin is back as admin :
# cyradm -user admin localhost
Password:
localhost> lm '*.*'
user.test (\HasChildren)
user.test.Drafts (\HasNoChildren)
user.test.Sent (\HasNoChildren)
user.test.Templates (\HasNoChildren)
user.test.Trash (\HasNoChildren)
user.test.spam (\HasNoChildren)
localhost>

This bug was first found while backporting 3.2.6-2+deb11u2 to buster.
Removing CVE-2021-33582 fix from the backport corrects the bug.

Maybe removing ptscache.db on upgrade if it exists is a solution. It
will be dynamicaly recreated.

Sincerly,
    Jean Charles Delépine

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-security
  APT policy: (900, 'oldstable-security'), (900, 'testing'), (900, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-22-amd64 (SMP w/2 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cyrus-imapd depends on:
ii  cyrus-common  3.2.6-2+deb11u2
ii  libc6         2.31-13+deb11u6
ii  libcom-err2   1.46.2-2
ii  libsasl2-2    2.1.27+dfsg-2.1+deb11u1
ii  libssl1.1     1.1.1n-0+deb11u5
ii  libwrap0      7.6.q-31
ii  zlib1g        1:1.2.11.dfsg-2+deb11u2

Versions of packages cyrus-imapd recommends:
ii  rsync  3.2.3-4+deb11u1

cyrus-imapd suggests no packages.

-- no debconf information

Reply via email to