Package: release.debian.org Severity: normal X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:sope User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package sope [ Reason ] This upload includes the proposed patch for CVE-2025-53603, plus cherry-picks two of the three commits that were included in the upstream 5.12.2 release, and that fix issues reported by 5.12.x users. [ Impact ] An easy-to-trigger DoS condition won't be patched, and some non-compliant SMTP implementations won't be able to speak to SOGo. Additionally, a one-liner auth optimization for OpenID users won't be present. [ Tests ] None, just manual testing. [ Risks ] The CVE fix has not been accepted by upstream yet, so I don't know if they will accept it as is or they will pick another solution. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock sope/5.12.1-2
diff -Nru sope-5.12.1/debian/changelog sope-5.12.1/debian/changelog --- sope-5.12.1/debian/changelog 2025-05-04 23:13:11.000000000 +0200 +++ sope-5.12.1/debian/changelog 2025-07-22 22:34:25.000000000 +0200 @@ -1,3 +1,13 @@ +sope (5.12.1-2) unstable; urgency=medium + + * [CVE-2025-53603] Add proposed patch to fix DoS-enabling segfault + (closes: #1108798). + * Cherry-pick two additional fixes from the 5.12.2 release. + - allow SMTP replies that don't adhere to the SMTP spec + - don't check for the auth bearer token + + -- Jordi Mallach <jo...@debian.org> Tue, 22 Jul 2025 22:34:25 +0200 + sope (5.12.1-1) unstable; urgency=medium * New upstream release. diff -Nru sope-5.12.1/debian/patches/git_CVE-2025-53603.patch sope-5.12.1/debian/patches/git_CVE-2025-53603.patch --- sope-5.12.1/debian/patches/git_CVE-2025-53603.patch 1970-01-01 01:00:00.000000000 +0100 +++ sope-5.12.1/debian/patches/git_CVE-2025-53603.patch 2025-07-07 15:31:00.000000000 +0200 @@ -0,0 +1,143 @@ +From 280104e45c20519ac4849ebf8bca114d91383543 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20B=C3=BChler?= <sou...@stbuehler.de> +Date: Sun, 29 Jun 2025 10:21:32 +0200 +Subject: [PATCH] NGHashMap: keep root->last consistent to fix segfault adding + duplicate key after copy + +segfault because root->last is NULL: + #0 -[NGMutableHashMap addObjects:count:forKey:] + #1 -[NGMutableHashMap addObject:forKey:] + #2 -[NGHttpRequest(WOSupport) _decodeFormContentURLParameters:] + #3 -[NGHttpRequest(WOSupport) formParameters] + +when POST and GET set the same parameter; trigger like this: + + curl -d 'x=' 'https://.../SOGo/?x=' +--- + sope-core/NGExtensions/NGHashMap.m | 33 ++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +diff --git a/sope-core/NGExtensions/NGHashMap.m b/sope-core/NGExtensions/NGHashMap.m +index 8b05ebb..f8df722 100644 +--- a/sope-core/NGExtensions/NGHashMap.m ++++ b/sope-core/NGExtensions/NGHashMap.m +@@ -216,6 +216,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + NSEnumerator *keys = nil; + id key = nil; + LList *list = NULL; ++ LList *root = NULL; + LList *newList = NULL; + LList *oldList = NULL; + +@@ -223,7 +224,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + keys = [_hashMap keyEnumerator]; + while ((key = [keys nextObject])) { + list = [_hashMap __structForKey:key]; +- newList = initLListElement(list->object,NULL); ++ root = newList = initLListElement(list->object,NULL); + newList->count = list->count; + NSMapInsert(self->table,key,newList); + while (list->next) { +@@ -232,6 +233,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + newList = initLListElement(list->object,NULL); + oldList->next = newList; + } ++ root->last = newList; + } + } + return self; +@@ -257,6 +259,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + pred = element; + } + root->count = i; ++ root->last = pred; + NSMapInsert(self->table,_key, root); + } + NSAssert(self->table, @"missing table for hashmap .."); +@@ -712,6 +715,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + { + id object = nil; + LList *root = NULL; ++ LList *insert = NULL; + LList *element = NULL; + unsigned i = 0; + +@@ -728,10 +732,13 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + } + + root = initLListElement(_objects[0], NULL); ++ insert = root; + root->count = _count; ++ // set root->last to last inserted element later + NSMapInsert(self->table, _key, root); + } + else { ++ insert = root; + if (!(_index < root->count)) { + [NSException raise:NSRangeException + format:@"index %"PRIuPTR" out of range in map 0x%p length %d", +@@ -741,30 +748,38 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + + root->count += _count; + if (_index == 0) { ++ // move current data at pos 0 to new element (prepending ++ // a new element would require replacing entry in NSMapTable) + element = initLListElement(_objects[0],NULL); + object = element->object; + element->next = root->next; + element->object = root->object; + root->object = object; + root->next = element; ++ if (root->last == root) ++ root->last = element; // inserted at pos 0 before the only item + } + else { + while (--_index) +- root = root->next; ++ insert = insert->next; ++ if (root->last == insert) ++ root->last = NULL; // set to last inserted element later + + element = initLListElement(_objects[0], NULL); +- element->next = root->next; +- root->next = element; +- root = root->next; ++ element->next = insert->next; ++ insert->next = element; ++ insert = insert->next; + } + } + for (i = 1; i < _count; i++) { + checkForAddErrorMessage(self, _objects[i], _key); + element = initLListElement(_objects[i], NULL); +- element->next = root->next; +- root->next = element; +- root = element; ++ element->next = insert->next; ++ insert->next = element; ++ insert = element; + } ++ if (root->last == NULL) ++ root->last = insert; + } + + /* adding objects */ +@@ -864,6 +879,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + root->next = list->next; + root->object = list->object; + root->count--; ++ // cleanup root->last (could be list!) after loop below + if (list) free(list); + list = NULL; + } +@@ -880,6 +896,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) { + list = oldList; + } + } ++ root->last = list; // list->next is NULL, i.e. it is the last + root->count -= cnt; + } + } +-- +2.50.0 + diff -Nru sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch --- sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch 1970-01-01 01:00:00.000000000 +0100 +++ sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch 2025-07-22 22:34:25.000000000 +0200 @@ -0,0 +1,19 @@ +commit 2bec3d956c766b9cfbb37bef1f1868cea1293974 +Author: Hivert Quentin <quentin.hivert...@gmail.com> +Date: Wed Jun 11 12:53:22 2025 +0200 + + fix(proxy): don't check bearer token auth + +diff --git a/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m b/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m +index c0ee61d..a758311 100644 +--- a/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m ++++ b/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m +@@ -327,7 +327,7 @@ static int logCounter = 0; + + auth = [[request valuesOfHeaderFieldWithName:@"authorization"] + nextObject]; +- if (auth) { ++ if (auth && ![[auth lowercaseString] hasPrefix: @"bearer"]) { + if (![auth isKindOfClass:[NGHttpCredentials class]]) { + auth = + [NGHttpCredentials credentialsWithString:[auth stringValue]]; diff -Nru sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch --- sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch 1970-01-01 01:00:00.000000000 +0100 +++ sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch 2025-07-22 22:34:25.000000000 +0200 @@ -0,0 +1,30 @@ +commit 927aaeadcff6a55416e1ef29faa7bbe90d63daea +Author: Hivert Quentin <quentin.hivert...@gmail.com> +Date: Tue Jun 17 15:28:53 2025 +0200 + + fix(smtp): allow smtp replies with only 3 chars (being the number code) instead of 4 (code + space) + +diff --git a/sope-mime/NGMail/NGSmtpClient.m b/sope-mime/NGMail/NGSmtpClient.m +index fa0cfb3..c6ec39f 100644 +--- a/sope-mime/NGMail/NGSmtpClient.m ++++ b/sope-mime/NGMail/NGSmtpClient.m +@@ -478,6 +478,19 @@ + NGSmtpReplyCode code = -1; + + line = [self->text readLineAsString]; ++ if([line length] == 3) { ++ //Invalid but can happen with some smtp server that does not follow correctly the smtp specs ++ //and only send the code number instead of the code + a space. ++ code = [[line substringToIndex:3] intValue]; ++ if(code == 0) ++ { ++ NSLog(@"SMTP: reply has invalid format and is not a code of 3 chars (%@)", line); ++ return nil; ++ } ++ desc = [NSMutableString stringWithCapacity:[line length]]; ++ return [NGSmtpResponse responseWithCode:code text:desc]; ++ } ++ + if ([line length] < 4) { + NSLog(@"SMTP: reply has invalid format (%@)", line); + return nil; diff -Nru sope-5.12.1/debian/patches/series sope-5.12.1/debian/patches/series --- sope-5.12.1/debian/patches/series 2025-03-24 14:14:00.000000000 +0100 +++ sope-5.12.1/debian/patches/series 2025-07-22 22:34:25.000000000 +0200 @@ -1,3 +1,6 @@ 0001-do-not-build-json.patch 0002-Do-not-build-xmlrpc-and-stxsaxdriver.patch 0003-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch +git_CVE-2025-53603.patch +git_dont_check_bearer_token.patch +git_smtp_replies_with_3_chars.patch
